IETF Logo Mail Archive

Re: [Uta] "webby" STS and DANE/DNSSEC co-existence

Neil Cook <neil.cook@noware.co.uk> Wed, 13 April 2016 09:34 UTC

Return-Path: <neil.cook@noware.co.uk>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D8E12DD74 for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 02:34:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.895
X-Spam-Level:
X-Spam-Status: No, score=-2.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yV4R-zt2a48k for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 02:34:29 -0700 (PDT)
Received: from mail.noware.co.uk (mail.noware.co.uk [192.241.243.54]) by ietfa.amsl.com (Postfix) with ESMTP id 7630A12DD51 for <uta@ietf.org>; Wed, 13 Apr 2016 02:34:23 -0700 (PDT)
Received: from neil-cook-mbp.home (unknown [86.153.224.89]) by mail.noware.co.uk (Postfix) with ESMTPSA id 7006A1C0533; Wed, 13 Apr 2016 09:34:21 +0000 (UTC)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_50DC278C-E7D2-409D-82F0-C5B7BE1628FB"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.6b2
From: Neil Cook <neil.cook@noware.co.uk>
In-Reply-To: <CANtKdUctfEKuQAscMkt_A5wcA84Z4y3L4KvcsxVd2Qb0NRBtgw@mail.gmail.com>
Date: Wed, 13 Apr 2016 10:34:20 +0100
Message-Id: <96AFF4DD-A934-4C92-A72E-AF729CE053D7@noware.co.uk>
References: <570C0CD2.9030401@cs.tcd.ie> <20160411212128.GA26423@mournblade.imrryr.org> <CANtKdUekXNkVvsfq0UjCiaaPVBgoVGfrfnYUrdoOf0EegXMuPg@mail.gmail.com> <20160413014304.GB26423@mournblade.imrryr.org> <CANtKdUf0kN5aOmX0-NsyQXz_+PRGfaXa37DFZoCX3FqdYh5CpA@mail.gmail.com> <5249C8ED-CACD-4765-909E-CB8EB218BF10@noware.co.uk> <CANtKdUctfEKuQAscMkt_A5wcA84Z4y3L4KvcsxVd2Qb0NRBtgw@mail.gmail.com>
To: Daniel Margolis <dmargolis@google.com>
X-Mailer: Apple Mail (2.3112)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.1 cv=TdMYtHgh c=1 sm=1 tr=0 a=xfdXm1iLTETJF5zWIHVl8g==:117 a=xfdXm1iLTETJF5zWIHVl8g==:17 a=L9H7d07YOLsA:10:nop_no_from_header a=9cW_t1CCXrUA:10:nop_no_to_header a=s5jvgZ67dGcA:10:nop_no_subject_header a=1XWaLZrsAAAA:8 a=D2AyyhpcAAAA:8 a=lyf1682xAAAA:8 a=48vgC7mUAAAA:8 a=6dZpJeI1ItK5x4o9M5QA:9 a=yICD5vKH5Jx3eUZ4:21 a=G_a9a3jD6cIkyQ3T:21 a=QEXdDO2ut3YA:10:nop_charset_2 a=ucdxbJRuHdZ4l4PoRWYA:9 a=ALW_UFhRtDTayQC5:21 a=IZM1355Hl8bAHR6N:21 a=ElSMnAEMWt0tQ-oC:21 a=_W_S_7VecoQA:10:nop_html a=XUIFR0xDUUPnZkHRsA0A:9
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/NnpsQFukc35J5LAZvKMXhLhUPH0>
Cc: uta@ietf.org
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 09:34:34 -0000

> On 13 Apr 2016, at 10:04, Daniel Margolis <dmargolis@google.com <mailto:dmargolis@google.com>> wrote:
> 
> On Wed, Apr 13, 2016 at 10:40 AM, Neil Cook <neil.cook@noware.co.uk <mailto:neil.cook@noware.co.uk>> wrote:
> 
>> On 13 Apr 2016, at 08:48, Daniel Margolis <dmargolis@google.com <mailto:dmargolis@google.com>> wrote:
>> 
>> What's the complexity you're worried about? Is it mainly that there's another switch to flip incorrectly (i.e. inadvertent misconfiguration, at a greater risk due to the presence of more configurations) or the risk of malicious DoS?
>> 
> 
> Checking both is not a good idea. DANE support scenarios like self-signed certs, which STS does not.
> 
> Yes, but if you have a self-signed cert, you aren't going to have an STS policy, so that's a different scenario than what we're discussing, no?
> 

Well, both need to work independently as you say below. But I might still have an STS policy (using a different, CA-signed cert) where I have a self-signed cert for DANE, because I want to support clients who only support one or the other. Forcing clients to validate both doesn’t seem to be a good idea.

> This is distinct from the first analogy that crossed my mind, which is Web browsers who support DANE: in the web browser case, WebPKI is essentially the default, so for DANE to work (with self-signed certs) we need to be clear that DANE trumps WebPKI. But in the SMTP case the default is nothing, so if someone explicitly requests STS or DANE, both policies must work independently (or else they're going to be missing mail from senders who validate only one or the other).

Yes, but I might prefer that senders use one rather than the other. DANE is more flexible in terms of allowing things like self-signed certs, so from my point of view, if I’m running a mail server I want clients to use DANE if they support both. I don’t want the client to make that decision.

Neil

> 
> 
>> I think Stephen laid out the trade-offs fairly well. I can see the argument for telling recipients that if they already publish a DANE record they're probably fine and shouldn't really need an STS policy as well. But a "must" seems less helpful to me here; senders who have some external limitation that prevents them from implementing DNSSEC then must not implement STS? I'd be worried that some larger deployments might have trouble with that.
>> 
> 
> We’re only talking about what precedence to use for senders who support both, not saying that recipients must support both. If sender who supports both DANE/DNSSEC and STS encounters a TLSA record it MUST honour that, and not use STS. If a sender supporting both only sees one or the other, then it’s fine. Senders which only support one or the other are also fine.
> 
> Neil
> 
>> On Wed, Apr 13, 2016 at 3:43 AM, Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
>> On Tue, Apr 12, 2016 at 06:52:31PM +0200, Daniel Margolis wrote:
>> 
>> > I'm not sure if I'm being stupid here, but what does it mean for STS to be
>> > "trumped" by DANE (or the reverse)? Do you mean that if the recipient
>> > domain/MX has both STS and DANE you will *only* validate the DANE policy?
>> 
>> Correct.  Trying to enforce both is too complex, and needlessly
>> increases the risk of delivery problems.
>> 
>> > If we instead said that senders who validate STS must honor STS and senders
>> > who validate DANE must honor DANE, is there a conflict?
>> 
>> That language is either tautological, or unreasonable, if intended
>> to imply that systems capable of both must be willing to apply both
>> concurrently.
>> 
>> > I would presume that if there is either a DANE failure or an STS failure
>> > senders who validate both will treat it as a failure. Introducing a concept
>> > of priority strikes me as unnecessary. What am I missing?
>> 
>> I have no plans to support concurrent evaluation of potentially
>> conflicting policies.  DANE is more robust than STS, given a DANE
>> policy I see no reason to also consider STS policy.
>> 
>> Of course an administrator will be able to choose which policy
>> applies to a given nexthop, but not enforcement of both.
>> 
>> --
>>         Viktor.
>> 
>> _______________________________________________
>> Uta mailing list
>> Uta@ietf.org <mailto:Uta@ietf.org>
>> https://www.ietf.org/mailman/listinfo/uta <https://www.ietf.org/mailman/listinfo/uta>
>> 
>> _______________________________________________
>> Uta mailing list
>> Uta@ietf.org <mailto:Uta@ietf.org>
>> https://www.ietf.org/mailman/listinfo/uta <https://www.ietf.org/mailman/listinfo/uta>
> 
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org <mailto:Uta@ietf.org>
> https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email