IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 21 February 2019 20:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F9011311B9 for <uta@ietfa.amsl.com>; Thu, 21 Feb 2019 12:52:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NLH5JQ3jTx5C for <uta@ietfa.amsl.com>; Thu, 21 Feb 2019 12:52:51 -0800 (PST)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDAD41311B2 for <uta@ietf.org>; Thu, 21 Feb 2019 12:52:50 -0800 (PST)
Received: by mail-lf1-x129.google.com with SMTP id u21so10373lfu.1 for <uta@ietf.org>; Thu, 21 Feb 2019 12:52:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=JaTX6MHhL9DbZqSXi5kMkzm0l9B43s0q+cpZJJ7ww8o=; b=FrLNqwAPmRXdF2JYYYJa+l1Imu0oG2C9/VPYyXhsynvfs+ygjfkToizqQMdfq3BlNY bC7kyRXd9B5dAZZpGRwGWg/1/iwS9mG8VcesahX+jIKS2i1igJlJqNhBEuhIs3KcBgP+ UiC58IzUFqU+dBFm6U6IN5DraAXoRTYQQgy4R9wem4Oe7FRAoAdKrLbANfEsTf5BBEws xl7fkx1+PURrgwUXYHcTQJmFWomb+NQlUni+mQ0IQaBbkQ2dNw6sg0g49geplgZQgzIn sb2u09dFp6kSM8BPbDDm2zK1a+uMRdnIpX0PJHaZutWyRtPu/Nf4ogr1POYmxq63VUJe muDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=JaTX6MHhL9DbZqSXi5kMkzm0l9B43s0q+cpZJJ7ww8o=; b=eTv+j5mFdOFQV7aKxtE1SdAFqzUjRcwoHVZqeeVDrY8G3JS6jsI5HtDTvoW4iBjyjT jAbWtKsXfba0GbaPVIP7dOU9XwDRCtVgVWSf/Z6LacswGOduu+G4FxeYywjqiBwm5gDj OG7VFMoUvkOUg15RtgccQL7TDOQkZ1vNyzYzTgwBFQmfmXpVDKdDui5FbQvB4kAN7zKV QJ72yM8pHdIbxEE1V/HP7Xzaxwr+Xn5UZWCn9WwQuI9+YCYaUSHqJ9v4vlvWXVvdgnhL ROMwTaF86rrgzzkNsf6cbCf7gzFNTRvWbBZmM0HvSZmq0HPy5W/md+GJNFaHeEK0zm6a 7+yg==
X-Gm-Message-State: AHQUAuamkS6CCbNdzy0f2KYBaOcam5cO5nyZAib1gdts00Yz0tuhoGhq iHkb6nrSe2r5p5wRtqShHp3pNroDvZNxTue9CC0BxA==
X-Google-Smtp-Source: AHgI3IYh9ddj+ZEjx5M+V+38Zmr9OiafxtFTWIqEiPEuJERYvbOrzulk7FTJrF+yLYoi3pJfCwCZtVq8wUtKh4x8ILI=
X-Received: by 2002:a19:5013:: with SMTP id e19mr238209lfb.89.1550782368706; Thu, 21 Feb 2019 12:52:48 -0800 (PST)
MIME-Version: 1.0
References: <155076162945.8595.2671476533659571699.idtracker@ietfa.amsl.com> <9964642F-59A8-41E0-B892-509F0ADEF8F7@dukhovni.org> <CABcZeBPZWjA4Pc0yEwb7DNmE4esxwAqn=0Czc=L1G-qzb4cV6w@mail.gmail.com> <20190221204259.GZ916@straasha.imrryr.org>
In-Reply-To: <20190221204259.GZ916@straasha.imrryr.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 21 Feb 2019 12:52:08 -0800
Message-ID: <CABcZeBMw_yo8GwAN0jF+jLMfRWh6BsG_0jkxXF6Y-x+JUEfOnQ@mail.gmail.com>
To: The IESG <iesg@ietf.org>, uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-smtp-require-tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000036080105826da8d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/Pr6bJjkIPDK5kOzY0zL_9_jtk4I>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 20:52:53 -0000

On Thu, Feb 21, 2019 at 12:43 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Thu, Feb 21, 2019 at 12:22:32PM -0800, Eric Rescorla wrote:
>
> > > A recipient has no expectation that the sending MTA supports any of
> > > DANE, MTA-STS, REQUIRETLS, or even STARTTLS.
> >
> > Nor do Web servers have any expectation that clients support HSTS, but we
> > still don't allow it to be overridden by some http-no-really:// link.
>
> "http-no-really://" links are not the right analogy, links are
> typically delivered to the user, they rarely expressions of the
> user's policy choice.
>

No, they're the expression of the link generator's policy choice, but the
same situation obtains, if you do, for instance, XHR.


Browers have interactive human users who can on the spot chose to
> override whatever security policy is in place. Firefox by default
> offers me the opportunity to make certificate exceptions permanent,
> and I always have to remember to uncheck the check-box to make an
> exception for just the one connection.
>

You can't override HSTS, actually.


> > More harmful to security than acknowledging that either participant
> > > has the freedom to choose the policy that works best for them, is
> > > restricting their choices to the point of making the use of security
> > > mechanisms too burdensome to deploy.
> >
> > The problem with this mechanism is that it is denying the recipient the
> > right to choose what works for them.
>
> I am not aware of any such right.  The receiving system is announcing
> a capability, and the sending system does its best to achieve the
> highest common security level.


No, it's saying "don't deliver this at all, if you can't do this"



>   The input to finding the highest
> common level includes software feature availability and local policy,
> potentially including user preference.
>
> The receiving system *cannot* expect to enforce its ceiling, all
> it can do is offer more security, and hope that it will be used.
> For that to happen, more senders would have to support the security
> mechanisms, but they are likely to hold back if these offer no way
> workable way to manage exceptions.
>
> Firefox and Chrome offer dialogues to bypass the built-in browser
> security mechanisms, a somewhat analogous control should be available
> to mail user agents.
>

See above.

-Ekr


> --
>         Viktor.
>
>

v2.23.0 | Report a Bug | By Email