Re: [Uta] Smallest practical MTA-STS maximum policy age?
Ivan Ristic <ivan.ristic@gmail.com> Sun, 24 May 2020 11:33 UTC
Return-Path: <ivan.ristic@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19843A0A1C for <uta@ietfa.amsl.com>; Sun, 24 May 2020 04:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wel2pvYxR4x9 for <uta@ietfa.amsl.com>; Sun, 24 May 2020 04:33:37 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE213A0A13 for <uta@ietf.org>; Sun, 24 May 2020 04:33:37 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id 4so15103864ilg.1 for <uta@ietf.org>; Sun, 24 May 2020 04:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6Fe/baBPf75VXyEx9PM4UkL+H58uC8Hg8iMJPOIYA7Q=; b=Vv5AAmvAi+6jkaNgYNr/RNYwUNA0+c8loz1eoJn8XNLc6cZTFAlXOKTQUx/TcI5m+n zsuVRGioOqE9T8CCeqsHa0seAlMoOf1Bw1OPdVdO6WN7f2Hwl9tKxEOE7jfB8nb1Iy+w C2eNrI2J4GGU6BtUYhOLhgTgl8kE9OwjqbwAIDRtLQ8mg8j8BMhyjLBko5SUxw1rPjmO 1S9U2wm19d7BL3Y4M+hBJWDNe7TkJTtg5kbOMPOibAXX49lywLHNsz1R26pUwJ0nbldg G2cRPJdTq+Bh8N4OmvEKrbxFK8hyc+VCsE92nROjWeDbgFDHv8GszsDJ4aQcddyDl560 Yx3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6Fe/baBPf75VXyEx9PM4UkL+H58uC8Hg8iMJPOIYA7Q=; b=EgbVJRICElOeeTOciZ5OxYWKhhfxfgu8maK4UVy0NsUSoqFcI7I8CtiqCT/1kmn8Jv FEqEOor8JmsWtXP+yQM5Z2eXttlbUkMW0cMJ2KoqSyl9MzrHiKinGN/mgO4xZhO5inch NyeKHuqE8hFToycMP2QnI66Yxmpm7UcUXEdMBvuoVvTaBpfH/aWKP+XXooVN4j89r1lI yVbNt3dNa07/WNms12lcgJvntGpGfVXoH5CO3MG/eijfaJ49AXRYo9teDZ9gs0aIO5ET ZBfs2WO3akI7aPPfmbA4QHJlf1hFkXs3tIiL0LAhIXPmd+d+Z35wCAXtRKfj/HipTPL1 Xm0g==
X-Gm-Message-State: AOAM531H+AgrT6q9Oo8z+b3erXvs5kPoTiBIjW7MAJ38vNs8/4XNR+QJ cEsUcYYXLMCNvGLsikIIl7w0StzZGQQSsTbBkwy7Yg==
X-Google-Smtp-Source: ABdhPJyGdfmIDjafGWMih+dpTLYW+AjV+4VQQZf20Fyxg9QCCqZZsuPqcg+BdRPDZVdVHXOgNvQP6cVpaRtUN0oyEe4=
X-Received: by 2002:a92:9e16:: with SMTP id q22mr20085183ili.17.1590320015403; Sun, 24 May 2020 04:33:35 -0700 (PDT)
MIME-Version: 1.0
References: <CANHgQ8H-xTuwMO8g9rZMTN2peb7=0x-1d7ZGzjoYeYskDQ=-+A@mail.gmail.com> <8850ef7e-1c97-a6a8-b801-5ffa247af0b9@andreasschulze.de> <20200523192736.GB89731@straasha.imrryr.org>
In-Reply-To: <20200523192736.GB89731@straasha.imrryr.org>
From: Ivan Ristic <ivan.ristic@gmail.com>
Date: Sun, 24 May 2020 12:33:24 +0100
Message-ID: <CANHgQ8H0dnNQCzrP0rXxZhLh+D52vsqiRyOk8pu9fFifZwBWTw@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="00000000000098ee6705a6633b0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/If6oXY_Fv9ce7-IrCiihfOSZfTA>
Subject: Re: [Uta] Smallest practical MTA-STS maximum policy age?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2020 11:33:41 -0000
On Sat, May 23, 2020 at 8:27 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Sat, May 23, 2020 at 09:07:06PM +0200, A. Schulze wrote: > > > I asked a similar question last year: > > https://mailarchive.ietf.org/arch/msg/uta/bnUjy9jxM_Va-lDXVtbB32zIkYI/ > > Currently I use ~ 3 days as "max-age" and receive reports from google > > that don't let me think they have any problem with my setting. > > Keep in mind that I expect implementations of MTA-STS to not refresh > refresh policy caches pre-expiration in the *absence of traffic to the > destination domain. So if any domain hosts users who in aggregate > correspond with you less often than every 3 days, MTA-STS is completely > ineffective at protecting that traffic against MiTM downgrades. > > Thus, my take is that MTA-STS policies with a max_age less than ~30 days > are potentially ineffective, and perhaps not worth the bother. > Sure, for production use. The issue I am seeing is this: New users are experimenting with MTA-STS and wish to use a small policy duration until they're confident in their configuration. They use values in hours and don't get any reports. Perhaps there's a case for specifying a minimum acceptable policy duration in RFC errata or something? -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > -- Ivan
- [Uta] Smallest practical MTA-STS maximum policy a… Ivan Ristic
- Re: [Uta] Smallest practical MTA-STS maximum poli… A. Schulze
- Re: [Uta] Smallest practical MTA-STS maximum poli… Viktor Dukhovni
- Re: [Uta] Smallest practical MTA-STS maximum poli… Ivan Ristic
- Re: [Uta] Smallest practical MTA-STS maximum poli… John Levine
- Re: [Uta] Smallest practical MTA-STS maximum poli… Daniel Margolis