IETF Logo Mail Archive

Re: [Uta] "webby" STS and DANE/DNSSEC co-existence

Daniel Margolis <dmargolis@google.com> Tue, 12 April 2016 16:52 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBBA012E91B for <uta@ietfa.amsl.com>; Tue, 12 Apr 2016 09:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.696
X-Spam-Level:
X-Spam-Status: No, score=-3.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PCOIL048Pyuv for <uta@ietfa.amsl.com>; Tue, 12 Apr 2016 09:52:32 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D9B712E910 for <uta@ietf.org>; Tue, 12 Apr 2016 09:52:32 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id o126so36196042iod.0 for <uta@ietf.org>; Tue, 12 Apr 2016 09:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=Y2itdRnIYD2OjHtD6pq6S+1DGV+bQBatCCleKXpC9js=; b=ggcRV/6a91pbjvagxG55O1DhjKUAOIdsKWVY31WGM2bASNI01uwcfmq8FKFg26BoMt EyxsX3TXQyMO/YQsZOB21nZ8utmh+vHSlJjLweBxrBQA0SJItYiNV7xtzFmmSmx0H3am 7BxV2/Msl/64pcMKbgu5SAYeX+uDqJte7d8f1fryUPJpakt/HMn8UoIrXDWtzTTnyiYe mAbzmrO/h3MA5pkMpcYIqEHumtq2cVNwFPAcSb4aviRB6TKk4eVNHshdTSUMoEjeH0NK k06FUuOFRe1JP5FnJ58EINi0+7tuJXs+i1WHw46bDw0BiWnxetkNcn+V6bPRhy6k9cEf w1XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=Y2itdRnIYD2OjHtD6pq6S+1DGV+bQBatCCleKXpC9js=; b=SFVGsOho+o753daxk7NZ9u3KXJahDDBFl85yck32GTAuvZfVCrE2tJz53wOogVnS5A MBCy3ezxYzcPzX0+jX74gGoXCJabhvBsdsX9b+8SyU2IXwpNTvVfwMsCMnlvTLzDRq2o GoRC0ElKttwQ+1XZJPakruTgQK+/eSLMgbgiA/s4LNKuxvPo2rbZ+sZOiKqZFPIkEYyW 2quK3ZUlFJfn48CJh94fakqZuCLHgt7fKMnaZDBJ66I+8PIlV+LCSHLtDbthbrkrYn7b Hniz6F83G2ZsdvsNhwV3YStKSwd5fxtS74Hz/Uj+EcWOONR3QvHFdmr/5GP1bK+C7GXr RrGg==
X-Gm-Message-State: AOPr4FVfetyoY+LNPAYnMalfWcCXqD9zerLwnXmfNR8lqF+jJVjqSNaQc9pT0dqWur0lYoh+JaPRhI1HvdDj5MFA
MIME-Version: 1.0
X-Received: by 10.107.12.67 with SMTP id w64mr5738156ioi.114.1460479951256; Tue, 12 Apr 2016 09:52:31 -0700 (PDT)
Received: by 10.64.91.226 with HTTP; Tue, 12 Apr 2016 09:52:31 -0700 (PDT)
In-Reply-To: <20160411212128.GA26423@mournblade.imrryr.org>
References: <570C0CD2.9030401@cs.tcd.ie> <20160411212128.GA26423@mournblade.imrryr.org>
Date: Tue, 12 Apr 2016 18:52:31 +0200
Message-ID: <CANtKdUekXNkVvsfq0UjCiaaPVBgoVGfrfnYUrdoOf0EegXMuPg@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="001a113f92b6b2f29005304c7c6f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/MFqonHdfhD2GAo8FlyOgGMbXUuQ>
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 16:52:34 -0000

I'm not sure if I'm being stupid here, but what does it mean for STS to be
"trumped" by DANE (or the reverse)? Do you mean that if the recipient
domain/MX has both STS and DANE you will *only* validate the DANE policy?

If we instead said that senders who validate STS must honor STS and senders
who validate DANE must honor DANE, is there a conflict? I would presume
that if there is either a DANE failure or an STS failure senders who
validate both will treat it as a failure. Introducing a concept of priority
strikes me as unnecessary. What am I missing?

On Mon, Apr 11, 2016 at 11:21 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Mon, Apr 11, 2016 at 09:45:06PM +0100, Stephen Farrell wrote:
>
> > With no hats, I'd like to argue that the WG should pursue
> > the "webby" STS proposal, but should also ensure that we
> > do not damage progress made by those who are deploying the
> > DANE/DNSSEC approach to securing MTA-MTA connections.
> >
> > I think we can do that by requiring that outbound MTAs
> > that implement the "webby" approach MUST/SHOULD first test
> > for, and process, TLSA records for the next MX in the path.
> > In  other words the "webby" approach is tried 2nd.
>
> [ By the way both DANE and STS are still opportunistic security as
>   defined in RFC 7435, the difference is that these are not just
>   unauthenticated encryption. DANE and STS are used on the fly
>   with peers that publish the relevant policy via some downgrade-
>   resistant mechanism. ]
>
> In Postfix, if and when we do implement client-side "webby" STS,
> I expect that STS wil be trumped by any DANE policy on MTAs that
> support both (when sending email to destinations that support both).
> One key reason is that DANE downgrade-resistance is stronger (works
> on first contact) and DANE is exposed to fewer trusted CAs.
>
> --
>         Viktor.
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email