[Uta] [Technical Errata Reported] RFC8689 (7705)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 20 November 2023 12:23 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A805CC151534 for <uta@ietfa.amsl.com>; Mon, 20 Nov 2023 04:23:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.261
X-Spam-Level:
X-Spam-Status: No, score=-0.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_SOFTFAIL=0.732, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4t7uU4aOuwS for <uta@ietfa.amsl.com>; Mon, 20 Nov 2023 04:23:25 -0800 (PST)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2913DC15109E for <uta@ietf.org>; Mon, 20 Nov 2023 04:23:25 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 86C7C19D44CF; Mon, 20 Nov 2023 04:23:24 -0800 (PST)
To: fenton@bluepopcorn.net, superuser@gmail.com, francesca.palombini@ericsson.com, leifj@sunet.se, valery@smyslov.net
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: mechiel@ueber.net, uta@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20231120122324.86C7C19D44CF@rfcpa.amsl.com>
Date: Mon, 20 Nov 2023 04:23:24 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/BJMW63Fr2PN16NaZK23tDYQ8CzA>
Subject: [Uta] [Technical Errata Reported] RFC8689 (7705)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2023 12:23:29 -0000
The following errata report has been submitted for RFC8689, "SMTP Require TLS Option". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7705 -------------------------------------- Type: Technical Reported by: Mechiel Lukkien <mechiel@ueber.net> Section: 4.2.1 Original Text ------------- 4. Establish a TLS-protected SMTP session with its peer SMTP server and authenticate the server's certificate as specified in [RFC6125] or [RFC7672], as applicable. The hostname from the MX record lookup (or the domain name in the absence of an MX record where an A record is used directly) MUST match the DNS-ID or CN- ID of the certificate presented by the server. Corrected Text -------------- 4. Establish a TLS-protected SMTP session with its peer SMTP server and authenticate the server's certificate as specified in [RFC6125] or [RFC7672], as applicable. Notes ----- The second sentence tries to explain/summarize the policies found in the RFCs referenced in the first sentence, about PKIX and DANE. But the explanation seems to accidentally sets new requirements that contradict behaviour specified by DANE: With DANE-EE TLSA records, no specific hostname validation must be done, instead verification is done based on (hash of) SPKI/entire certificate. (DANE-TA hostname verification is also a bit more nuanced). Since the requirements are accurately explained in the RFCs referenced in the first sentence, it seems better to completely remove the second sentence. I would also like to point out that implementers may want to take care not to treat the situation where all TLSA records are "unusable" (as explained in DANE RFCs) as "authenticated with DANE", in line with "[...] or it MUST be verified successfully using DANE [...]" on line 197. Instructions: ------------- This erratum is currently posted as "Reported". (If it is spam, it will be removed shortly by the RFC Production Center.) Please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party will log in to change the status and edit the report, if necessary. -------------------------------------- RFC8689 (draft-ietf-uta-smtp-require-tls-09) -------------------------------------- Title : SMTP Require TLS Option Publication Date : November 2019 Author(s) : J. Fenton Category : PROPOSED STANDARD Source : Using TLS in Applications Area : Applications and Real-Time Stream : IETF Verifying Party : IESG
- Re: [Uta] [Technical Errata Reported] RFC8689 (77… Jim Fenton
- [Uta] [Technical Errata Reported] RFC8689 (7705) RFC Errata System