IETF Logo Mail Archive

Re: [Uta] New proposal: SMTP Strict Transport Security

Daniel Margolis <dmargolis@google.com> Tue, 22 March 2016 10:11 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9506712D14F for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 03:11:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fDrGgp32AsQT for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 03:10:58 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E41E12D0F0 for <uta@ietf.org>; Tue, 22 Mar 2016 03:10:58 -0700 (PDT)
Received: by mail-ig0-x22a.google.com with SMTP id av4so102067633igc.1 for <uta@ietf.org>; Tue, 22 Mar 2016 03:10:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=cKmtSfFEtXkzieQo/qsY0h7ouV0AEJb8L9Vf4XJ+ZGE=; b=jbk1ovZ4tK+0JRZdHzi1+pEjFD4eBAECsZH+DPrwAtaIe8cN9UJflbgkVK3J26Za8f CMoDcnpeUJk0RigWAqqFl4+pQP/nyANA+pKjUTsUnxvy2NjtZQzwumxvH3f2/29/SvGY TQ6iavmrFZPTnlEn58i+FJO4pi0eDWblTjJ/B1ZgUowpo/a1Kxr1q6CGW5JQ1HxG/hfV QKdnxI/InEo/+9RPLCGudaCe7CW5piLOBTgCOQxzPVpTop0quYFysVIRnXpfcyKuvOjg kzPI/M+Y4rcxp9VsIO10C7c/WFzh18fWWtvquinaYNs1wlS4IlxyoA9jPC12JCku+mDd 3l6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=cKmtSfFEtXkzieQo/qsY0h7ouV0AEJb8L9Vf4XJ+ZGE=; b=NRnGqpRNejIAOxsMi+HZ2oYeIUrfsXhMQZumh8oouwBI1eVH5o6AvgusVeSSrVDoij dmIKTFbFBdl2UVfml+rtQwv0PTShQdlPACH4k2B3m6XJvFCHUUkE0aKuE+1VrUwhnO/r Uuq4bHGr3yuXq2ZKyGrbl8IS8aoDfVpT07APr/ZrFk6dlDFAae7C9FWuJZUn3wSVU17f XLaJv7uFYvOoYCxPhs+7LxDfU6xCUNQTdd5fNLbDlEaHY1rVe53vl8pSq2G4o4jUm3sc af9YWHbidFBE1FkJhM3GHrQgeeDVWyhWyURml0lirfPoC95PdvRsHZiM2sC0O/L90oo0 8DJg==
X-Gm-Message-State: AD7BkJIu/VkeGwJPMN+DjcKmV9qp120CgUK8xJ5Z4ogu6eJUZXcDprL2e9WbHlaT0/1Yk99sANXbHriaKWTIm/+7
MIME-Version: 1.0
X-Received: by 10.50.25.137 with SMTP id c9mr17643205igg.84.1458641457318; Tue, 22 Mar 2016 03:10:57 -0700 (PDT)
Received: by 10.64.251.136 with HTTP; Tue, 22 Mar 2016 03:10:57 -0700 (PDT)
In-Reply-To: <D31BCFDF-5926-413A-8624-26B65F741A75@noware.co.uk>
References: <CAB0W=GS2PXF-divC+SNs+A-jH1-_BBA889-TbQXHvrVsrbKLEA@mail.gmail.com> <CAB0W=GSQ4oTLT+qepMi7Pj5=UmBD70D_uW7c193RY-gw818ORA@mail.gmail.com> <CAB0W=GRB_6LhqEGYzeYq-srnM99wqwZrdjUEm=vJ7+oFiKbYoA@mail.gmail.com> <CAB0W=GTGja5JtxGuCzhD6O3B2Ow-wLN-B6WQ8XUDyvQRqdFZxw@mail.gmail.com> <20160322063527.GD6602@mournblade.imrryr.org> <CANtKdUeh8LV1uaWAyRqQ2ou4pdTNvKgzuJ5kKsQLwPFORqrDQA@mail.gmail.com> <20160322084859.GF6602@mournblade.imrryr.org> <D31BCFDF-5926-413A-8624-26B65F741A75@noware.co.uk>
Date: Tue, 22 Mar 2016 11:10:57 +0100
Message-ID: <CANtKdUdLiLDE5s2Exj4eh+o1Fob2-bDXWCpJM87mHKBa+aQkYQ@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: Neil Cook <neil.cook@noware.co.uk>
Content-Type: multipart/alternative; boundary="047d7bdca50ceb8537052ea06d69"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/AuH_VhT8sGhvL57Sx3p36MQYpbM>
Cc: uta@ietf.org
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 10:11:00 -0000

Thanks for the feedback to both of you. I don't disagree; I think Viktor
makes a very solid point in favor of simplicity. In addition, a report-only
protocol could be extended to support arbitrary error reporting; an
out-of-band (e.g. HTTP) channel to share delivery failures between domains
strikes me as useful in the general case.

Separately, because we're already assuming providers (both sending and
receiving) make a choice on implementing DANE and/or webPKI, I don't think
actually splitting the two makes it any more or less complex to implement,
or should discourage adoption of one or the other mechanism.

So I would say I'm feeling a bit in favor of Viktor's suggestion, but I'd
like to chat a bit more with my co-authors and think about it first. ;)

Viktor, as an aside regarding the hosted mail scenario, we already had the
suggestion to move the HTTPS endpoint to something like "_
smtp_sts.example.com/current". If we do that, the customer (example.com)
can make this a CNAME for "_smtp_sts.hostingdomain.com", who can use SNI to
serve the policy with the customer's cert (assuming the customer trusts the
hosting provider with this; for domains that don't operate their own HTTPS
endpoint this seems to me to be likely). For the more complex case, the
cron setup you describe doesn't seem too onerous, I agree.

Thanks again for the feedback.

On Tue, Mar 22, 2016 at 10:21 AM, Neil Cook <neil.cook@noware.co.uk> wrote:

>
> > On 22 Mar 2016, at 08:49, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> >
> > On Tue, Mar 22, 2016 at 08:58:25AM +0100, Daniel Margolis wrote:
> >
> > My (strong) suggestion: use DNS for just cache invalidation, and
> > perhaps also publication (via a separate record) of the "rua"
> > reporting URI.  Do not duplicate data which one must in any case
> > obtain and cache via HTTPS in DNS.
> >
> > Do not attempt to hedge your bets and support DANE/DNSSEC via STS,
> > I don't think that makes much sense either.
> >
>
> I agree with the “don’t hedge your bets” part. I was quite surprised to
> see all the justification for STS in the first part of the document,
> including “the mechanism described here presents a variant for systems not
> yet supporting DNSSEC”, and yet then goes on to include DNSSEC as one of
> the policy authentication mechanisms.
>
> >    * Allow (DANE or other) domains to publish just the RUA,
> >      the feature is not STS-specific.
> >
> +1
>
> Neil
>
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>
>

v2.23.0 | Report a Bug | By Email