Re: [Uta] MTA-STS-03 review
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 03 April 2017 21:05 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5073D128CD5 for <uta@ietfa.amsl.com>; Mon, 3 Apr 2017 14:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dKPuj-hKH5bK for <uta@ietfa.amsl.com>; Mon, 3 Apr 2017 14:05:17 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1B51243F3 for <uta@ietf.org>; Mon, 3 Apr 2017 14:05:17 -0700 (PDT)
Received: from [172.31.30.48] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 87C747A330A for <uta@ietf.org>; Mon, 3 Apr 2017 21:05:16 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CANtKdUdYU0yvQOXHqkvtD06jvEyNhhtwA2JSS9MzFE-XHcJh_Q@mail.gmail.com>
Date: Mon, 03 Apr 2017 17:05:15 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: uta@ietf.org
Message-Id: <D0683AB1-4D85-4509-857F-AA17EC2334C6@dukhovni.org>
References: <4C0807DA-4852-4DAC-80ED-8A25371CFFAA@dukhovni.org> <CANtKdUfOZYSr_SuGHdDHHgrF8J5VjEWwVw_7KC2xS5DrCKhu-w@mail.gmail.com> <20170326205218.GN11426@blitiri.com.ar> <92500952-2A50-4508-8686-03CDBF72485D@dukhovni.org> <CANtKdUfL+RT05KSqj5i4YeoRa=gHywNosou2VPF6acPDpRhG0g@mail.gmail.com> <20170330105556.GR11426@blitiri.com.ar> <20170403193531.GO25754@mournblade.imrryr.org> <CANtKdUdYU0yvQOXHqkvtD06jvEyNhhtwA2JSS9MzFE-XHcJh_Q@mail.gmail.com>
To: uta@ietf.org
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/CSblhMaS9ZIknlKnYEVcw5Hsf7c>
Subject: Re: [Uta] MTA-STS-03 review
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 21:05:19 -0000
> On Apr 3, 2017, at 4:53 PM, Daniel Margolis <dmargolis@google.com> wrote: > > In hypothetical pseudocode, your MX is going to be doing something like this: > > for candidate in mx_list: > if try_to_send(candidate): > success = True > break Yes, but with an initial step to prune the MX list when the sending host is a member of that list... And of course dealing with multi-recipient messages, ... > And in the cert validation (or DANE validation or anything else) step, > we modify "try_to_send()" to close the connection and return False if > the cert validation fails, no? When authentication is required and fails, all recipients tempfail, and the next candidate MX is tried (ignoring details of what "next host" means when MX hosts have multiple IP addresses). > So your point seems to be that the MX selection logic must be modified > to support the MX matching approach: The draft suggests filtering the MX host list first, and then looping over the remaining hosts. > for candidate in filter_mx_list(mx_list): > # etc As above. > Right? But why would you not simply modify "try_to_send()" > to check the hostname against the policy (same as it would > check the cert SANs or CN against the policy)? One could defer the hostname validation, but if it is really just an MX hostname filter, and not a certificate filter, then there would be a futile connection to the host, and a TLS handshake, before the TLS layer discovers that the MX hostname is a priori forbidden by the STS policy. > I'm afraid I don't understand the distinction you are drawing > between modifying candidate selection and modifying cert > validation. Can you explain a little more? If the policy restricts the acceptable content of the MX RRset in DNS, then one ought to avoid connections to "forged" MX hosts, which requires changes to the MX selection loop. If the policy restricts the acceptable names in the MX host certificate, then MX selection remains unaffected, and one tempfails connections where the peer certificate fails to validate (for any of a set of reasons, including name check failure). -- Viktor.
- [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Jeremy Harris
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review David Illsley
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Alberto Bertogli
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Alberto Bertogli
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis
- Re: [Uta] MTA-STS-03 review Viktor Dukhovni
- Re: [Uta] MTA-STS-03 review Daniel Margolis