IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 27 October 2017 18:21 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5CF13F42F; Fri, 27 Oct 2017 11:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_YRaPi6RHba; Fri, 27 Oct 2017 11:21:02 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8673F13F3AC; Fri, 27 Oct 2017 11:21:02 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 9584A7A330D; Fri, 27 Oct 2017 18:21:01 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.7\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <D5ED7737-D201-41A2-B24D-661D10D19EE0@oracle.com>
Date: Fri, 27 Oct 2017 14:21:00 -0400
Cc: uta-chairs@ietf.org, draft-ietf-uta-email-deep@ietf.org, The IESG <iesg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7792E43-E45B-4E0D-B3D2-B6257DE03B85@dukhovni.org>
References: <150852235551.15416.1247335476327491501.idtracker@ietfa.amsl.com> <98fddd93-a0a8-efa3-ce2e-530449ae536c@network-heretics.com> <8B20BC5A-A60A-4A31-9345-E970B31BC2C3@oracle.com> <a67ef1d0-1637-fe48-9fb1-664ad8b3172d@network-heretics.com> <D5ED7737-D201-41A2-B24D-661D10D19EE0@oracle.com>
To: uta@ietf.org
X-Mailer: Apple Mail (2.3445.1.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/DWH7FgluHRUHrXB_a7BpHEXzUJc>
Subject: Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 18:21:06 -0000


> On Oct 27, 2017, at 2:03 PM, Chris Newman <chris.newman@oracle.com> wrote:
> 
> I just re-read the related text a bit more carefully. Although RFC 7817 adequately covers what subjectAltName identities mail servers need to support in certificates, it doesn't cover what goes in SNI (although it mentions SNI). Ditto for RFC 6186. This is annoying; the issue really should have been addressed in 7817 or 6125 :-(

My take is that use of SRV-ID will see negligible or no adoption, and so
despite https://tools.ietf.org/html/rfc7817#section-5.1 there is no
likely value in sending anything other than the target hostname in SNI.
Validation of the SRV record via the WebPKI rather than DNSSEC is
from this perspective basically unrealistic.

> I suspect in practice that most MUAs use the post-SRV-lookup hostname in TLS SNI.

Agreed, where most is ~100%.

> And server support for that name form in SNI will be necessary to interoperate
> with MUAs that don't support RFC 6186

Agreed.

> (or use an alternative autodiscovery mechanism in preference to RFC 6186). So the remaining question is would it be useful/helpful for a server to also support an SNI based on the SRV record or SRV-ID name? I don't think the answer to that question is important enough to justify a normative change to this document.

My take is that support for SRV-ID in SNI would be largely pointless.

> To address this, I suggest we add a sentence to the end of section 4.4 (just before the sentence referencing 7817):
> 
> --
> Mail servers supporting SNI need to support the post-SRV hostname to interoperate with MUAs that have not implemented RFC 6186.
> --
> 
> I view that as a statement of fact rather than a normative change so I think it's kosher. Saying more on the topic would probably cross the normative change line so I'd prefer not to go there.

Works for me.  Of course another way to interoperate (for servers
that don't TLS virtual hosting) is to simply ignore any SNI extension
from the client and always present the same (sole) server certificate
chain.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email