Re: [Uta] Uta Digest, Vol 28, Issue 16
Daniel Margolis <dmargolis@google.com> Thu, 24 March 2016 17:06 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76FBC12D677 for <uta@ietfa.amsl.com>; Thu, 24 Mar 2016 10:06:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxcN7bFbChjR for <uta@ietfa.amsl.com>; Thu, 24 Mar 2016 10:06:41 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E31AF12D19B for <uta@ietf.org>; Thu, 24 Mar 2016 10:06:26 -0700 (PDT)
Received: by mail-ig0-x230.google.com with SMTP id l20so16503645igf.0 for <uta@ietf.org>; Thu, 24 Mar 2016 10:06:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=NQJFxKRgyQ2vMvG5mrg5pEYx4KU3mRt548XriSVGXds=; b=o37uYau6yL6DajzzaDmFFjSgSyf9nZG0wKtg5dxkNuc8o0mWHGgfZzIf5GjM71KKFS DEXuxuSDzrmrCP6yjNtidFPvD2yV7TeSyiz9Cde8UTvp639YJaKv6K24URV2EI5Rb+dt MA+EUoIiUbg96bg90P07nEjTxBpRCVkWbwmmDDiWEx1WEyMyKPbsWgHwqyC1FQFuKiC9 yO90KYeTFn3pZ6ZmKJIju823Fpp1wDQSTnIe7VBRZ5j/tqAx7bE3KigPY8UrJkLtJPGt TtEjg/KFiOtCLTg1xVPm9rmQ75bXQsfslRZM9dPxbJvz8OShSBXxziAMk0RPDgg74fWb OrOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=NQJFxKRgyQ2vMvG5mrg5pEYx4KU3mRt548XriSVGXds=; b=JKDyfvnXwwzjpOyqZ3C9yyNoK/u7OtjHfll5HbIw7hAJr/BEirEdy870fBPxwjTGXA Wv6oBNjZyXEg7ETe+gMdnZY/28y1p/US7m2loAFC9jVxt020BoVIEIvDMd89v6oLTWHP evQmqI4arfUIIsaAFk5FX1VBMy3OxJ0QmWPB5dg3uj2U8HdYk6huiCBiErqxji1sbFQN h5OSIrsCvSn1gpl6/D+Ea8q1jFoxu6j9yT+U1OaioMSqmLYsJ5oMQAO9P5XISQkBtibr QvzbEHtO20qppTZKkDaCBtncj45b5GxAXGgekRcma08Ndmw1adO5ay7R6ek0gJum/zG1 JaOA==
X-Gm-Message-State: AD7BkJKzVsPIu8Pw/7DgWVCcXV2Kz1MbCmqrY4oVxC3PXztgqGZWEO7j2UuCUawI84Hc2Hbs+c9t2GNwRllDaPLm
MIME-Version: 1.0
X-Received: by 10.50.47.49 with SMTP id a17mr31127043ign.35.1458839185980; Thu, 24 Mar 2016 10:06:25 -0700 (PDT)
Received: by 10.64.251.136 with HTTP; Thu, 24 Mar 2016 10:06:25 -0700 (PDT)
In-Reply-To: <5B12C084-3EB4-4789-A12D-29B04C157AB8@dukhovni.org>
References: <mailman.354.1458836179.3382.uta@ietf.org> <5B12C084-3EB4-4789-A12D-29B04C157AB8@dukhovni.org>
Date: Thu, 24 Mar 2016 18:06:25 +0100
Message-ID: <CANtKdUeYJ-qcqu4WocYMKUcs8opfD1_edti2HcNNY=Mybp1Trw@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="089e01229fa6778224052ece77db"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/JHqVMPgmbOjvqkTm9jw12nOjSA4>
Subject: Re: [Uta] Uta Digest, Vol 28, Issue 16
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 17:06:43 -0000
I think your thought exercise has brought you to the same place I arrived at. ;) Note in particular, regarding domains "too big to do DANE", that this seems likely to be especially true for big hosting providers. In particular, as written STS can be deployed in a DNSSEC-signed zone of customer.com to require MXs with valid certs for host.com. A secondary problem with in-band validation is that it may increase the risk of an attacker turning a temporary MITM into a perma-DoS, because you now can't require that the policy be delivered from a server who's certificate SAN matches the email domain. In the above example, you have to accept a policy for customer.com's email set by the MX at host.com--how do you know host.com isn't a temporary MITM who's trying to dos customer.com? Anyway, this is a bit of a tangent, I think, because I think we're all on the same page, but I've been sort of meaning to write up a list of motivating design concerns describing these sorts of corner cases that we discovered in alternate proposals; otherwise it's easy to forget *why* X wasn't likely to work. Dan On Thu, Mar 24, 2016 at 5:53 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > > On Mar 24, 2016, at 12:16 PM, uta-request@ietf.org wrote: > > > > In addition to the possible difficulty in migrating a domain off > > a server (particularly in a multi-tenant config), we also felt > > that introducing a new SMTP verb might be dramatically more complicated > > than deploying in parallel, because at least the DNS/webpki reporting > > can be added offline without changes to the core MTA. > > > > Was that not a concern in DEEP? Or simply unavoidable? > > Implementing a new SMTP verb is easier than parsing new DNS records > or adding an HTTPS stack to a sending MTA. > > That said, an out-of-band protocol might possibly be supported via > a mostly "generic" policy lookup interface that allows the sending MTA > to fetch TLS policy for a delivery and report results, while > in-band signalling might require somewhat more mechanism-specific code > in the MTA. > > The key difficulty is of course doing policy revocation in-band, it is > not obvious how to do that. If STS is defined more narrowly as a protocol > for sending mail to just the domains "too large to implement DNSSEC" (such > as those of the draft's authors), then the hosting issue goes away, and > in-band signalling works. If STS is to cater to smaller hosted domains, > then signalling that securely signalling that SMTP to one's domain is no > longer secure becomes difficult without a parallel out of band secure > channel. > > If STS-enabled SMTP servers were required to be able to disavow support > for a no-longer hosted domain in-band via SMTP, that might work. The > client would have to signal the domain to which it wants to deliver > email before "MAIL FROM", and the server would respond with the policy > for that domain, or an invalidation. > > This would mean that the cached data for a domain would include the > most recently seen MX hosts (not just the wildcard patterns), and > that when new MX hosts in DNS don't match any of the cached patterns, > a connection is made the cached ones for the purpose of a policy revocation > check. This sounds a bit tricky... Will the "losing" provider have > proper incentives to make the appropriate configuration changes in a timely > manner? > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Viktor Dukhovni
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Daniel Margolis
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Orit Levin (CELA)
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Viktor Dukhovni
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Neil Cook