Re: [Uta] Updated drafts for MTA-STS & TLSRPT
David Illsley <davidillsley@gmail.com> Mon, 20 February 2017 19:16 UTC
Return-Path: <davidillsley@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 515521296DA for <uta@ietfa.amsl.com>; Mon, 20 Feb 2017 11:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fp4arD_nYcGs for <uta@ietfa.amsl.com>; Mon, 20 Feb 2017 11:16:21 -0800 (PST)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87E5A129559 for <uta@ietf.org>; Mon, 20 Feb 2017 11:16:21 -0800 (PST)
Received: by mail-oi0-x22c.google.com with SMTP id y140so27197607oie.1 for <uta@ietf.org>; Mon, 20 Feb 2017 11:16:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bGov1A4OkSEHx16IfjysHVseZ2Ql/FNFbuQ7ZSE1u6g=; b=o3kzrm+SFzDOJuuZAKWVhtWwV9TPQt2khLM9pQ4/fYhNeZ2KUAAXTNQlqI1mUYcVaF RY0tqo6eCT6rdrVp8b7xMpk5mrCqAIhgxoILGu1kW82GU+Ya793Snyj/H6/llbYRdfM8 2ceOUKyVnzqbp38kcPgo7qAaKa1cqUGbSq8d9n9yNde4n1wwOHXGZTOvcIb5K1Luaddp q81j3KAq9ur4HkyJ9xTT/tHO1hEqHrn9JsGLDkfkHM+Zt/5z57uMYzTs6IRlNFYGzGxJ 0sFsIbShzKrw3RMZrxB1YCwuy8adArYTE1dG8YgNSuSkUXso3P1ELB6knl7mXHj7xkAa 3eOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bGov1A4OkSEHx16IfjysHVseZ2Ql/FNFbuQ7ZSE1u6g=; b=sJXCW9I2r4iFvvxS4iI1L6B3pPYmqj8UHNtRNVveE2Em7E7NJRFxb/K13vPz9mni5k vVfzo6WzGKyhCEw8v6eXQ4Tt5AriOJy9a3ME1ucjuHI0ymmSlpEcK7YzyXyNJ//GkF9t EYMNTM1A1459zC9vT9/58ANfTvvkOFNDaaESiUnOV/b82lzAlyFl12RgPEbnCLWGVOS4 4sPMUges50Mo7NRQDaZrJ6C4/AYKzx5A3YWwhj9pdjlwNGlW7swVgKXk3Zj5ncePX/bb Ne+/OtzgTrJOT9gQn3psxH9W2YigqBGiN9mHs1gnaEwZwGEShsDRukChY3ucOFQFNQyU GoWg==
X-Gm-Message-State: AMke39koVN6hW2ReffMg1E1YFe9E/EOeEwZ8wmEu4SwPZrMEpMojAgd2mjdiD3fY0NRZOYe1TCwOy116Bi+lKg==
X-Received: by 10.202.3.197 with SMTP id 188mr12431763oid.31.1487618180842; Mon, 20 Feb 2017 11:16:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.24.110 with HTTP; Mon, 20 Feb 2017 11:16:20 -0800 (PST)
In-Reply-To: <a0701ba14a704ac08f2b099a0576e22e@COPDCEX19.cable.comcast.com>
References: <a0701ba14a704ac08f2b099a0576e22e@COPDCEX19.cable.comcast.com>
From: David Illsley <davidillsley@gmail.com>
Date: Mon, 20 Feb 2017 19:16:20 +0000
Message-ID: <CA+E3Fw2=3QCeeB2hOjzKERwRaF6p_G9z6Gm9GA4Yz2qE0KBhRA@mail.gmail.com>
To: "Brotman, Alexander" <Alexander_Brotman@comcast.com>
Content-Type: multipart/alternative; boundary="001a113b72063b115d0548fb1914"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/MrTow9gRSJnD9LUoNrydm-n9XA8>
Cc: "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] Updated drafts for MTA-STS & TLSRPT
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2017 19:16:23 -0000
It's been a while since I looked at the drafts, and they're looking good. The area I'm getting stuck on is max_age. It's a point of user-configurability, with little guidance on what's good, and the strong possibility that people will make weak or otherwise bad choices. As someone who expects MTA-STS to have a similar effect to HSTS - effectively ratchet security, it seems like it's desirable for it to be as long as possible. In general, the fact the a complete failure causes a policy update makes this simple and safe. There are a couple of reasons why I think it's not quite that easy: 1. It's not desirable for a 'report' configuration to be used beyond the point that a domain has switched to 'enforce', and a long-cached 'report' policy could do this. 2. It prevents new MX records (eg new servers for increased capacity or backups) not covered by the cached policy from being used until the max_age, or until a failure to send with all the covered servers. There is also a downside that if policies are cached for a long time, misconfiguration of the policy server is less likely to be noticed quickly as fewer domains will be sending reports indicating a failure. Having pondered it a bit, my suggestion is: 1. A SHOULD that max_age is set to at least 6 months, other than during roll-out 2. A SHOULD that well-behaved clients with a cached policy should re-check DNS TXT policy weekly, and retrieve via HTTPS if the policy id has changed. An alternative to (2) would be to add an optional refresh_after field with similar semantics which would have a default value of 7 days which could be overridden if, for some reason there are concerns that weekly is too often (but I'm generally of the opinion that fewer options are better). I hope that makes sense, and do let me know if I've missed something. Cheers, David On Wed, Feb 15, 2017 at 7:57 PM, Brotman, Alexander < Alexander_Brotman@comcast.com> wrote: > Folks, > > We uploaded new revisions for MTA-STS and TLSRPT. There are minor changes > to each: > > 1) Remove the "_" from DNS records to be consistent with A/AAAA records > used with the HTTPS retrieval, and make this a bit less confusing for > deployments. We did this for both MTA-STS and TLSRPT. > 2) Clarify language around punycode > > Please give these a review and get back to us with any comments. Thank > you. > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse > Comcast > x5364 > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Updated drafts for MTA-STS & TLSRPT Brotman, Alexander
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT David Illsley
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT David Illsley
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT David Illsley
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Viktor Dukhovni
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Alberto Bertogli
- Re: [Uta] Updated drafts for MTA-STS & TLSRPT Daniel Margolis