Re: [Uta] New proposal: SMTP Strict Transport Security
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 11 April 2016 20:30 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48BA012E6D2 for <uta@ietfa.amsl.com>; Mon, 11 Apr 2016 13:30:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tg0ANPRACw2 for <uta@ietfa.amsl.com>; Mon, 11 Apr 2016 13:30:49 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FDA112ED47 for <uta@ietf.org>; Mon, 11 Apr 2016 13:30:48 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0CC3C284DCA; Mon, 11 Apr 2016 20:30:47 +0000 (UTC)
Date: Mon, 11 Apr 2016 20:30:47 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20160411203046.GZ26423@mournblade.imrryr.org>
References: <CANtKdUewMQ5jVAUOaWfuUquFdDB_dh_jNEfAo7T=qruqzszGqw@mail.gmail.com> <1A3DB748-26E6-404D-84F5-962B3AA21AB4@azet.org> <CANtKdUf9MujQxZQMz8xbPi+EVOYXLWgR342x1-S8u12PPm-TAA@mail.gmail.com> <20160406224039.GH26423@mournblade.imrryr.org> <20160408151600.GB13343@schweikert.ch> <20160408190615.GM26423@mournblade.imrryr.org> <20160409220007.GA17512@schweikert.ch> <CANtKdUd5Oqbd9Y-mTzEoBzKJJy5gcbUzYOu=YFziGaCsg56SoQ@mail.gmail.com> <20160410204458.GX26423@mournblade.imrryr.org> <CANtKdUe7_ZUT=Js47mP=i7h+hbR6wrMJN6XvZEypyWGyTkVUeA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANtKdUe7_ZUT=Js47mP=i7h+hbR6wrMJN6XvZEypyWGyTkVUeA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/Q4A99aWrrcey0FUNfGEWZY_1YkE>
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 20:30:51 -0000
On Mon, Apr 11, 2016 at 10:07:14AM +0200, Daniel Margolis wrote: > I see your point. But I think one thing still needs to be specified. In the > smarthost case, what domain is used to validate the server certificate > during the HTTPS policy fetch? The nexthop domain. It may, or may not, be subject to further MX indirection depending on local policy: 1. # Forward example.com email via example.net's MX hosts # whatever they may be # example.com smtp:example.net 2. # Forward example.name email via the smtp.example.org # relay host. # example.name smtp:[smtp.example.org] In case "1" the STS policy DNS lookup (signal of support) would be at "example.net" and the well-known URI would be https://example.com/... In case "2" the STS policy DNS lookup would at "smtp.example.org", and if that happens to indicate STS support, the well known URI would be https://smtp.example.org/... > Presumably it's now the domain of the > smarthost, not the domain of the recipient domain (for obvious reasons). Yes, always the domain of the SMTP nexthop, which may or not be subject to further MX indirection, but recall that (RFC 5321) relay hosts are just (implicitly) MX domains with: smtp.example.com. IN MX 0 smtp.example.com So the two cases are the same, the STS policy is always associated with the owner-domain domain on the (possibly implicit) MX RRset. > But this is mildly funny; absent smarthosting, it's the email domain that > signs the policy (for obvious reasons); with smarthosting, it's the MX > domain? Nothing funny at all, and not it is always the transport nexthop domain that signs the policy. Do not confuse the nexthop domain with its MX exchange host, even when they are necessarily the same (example 2). > I guess this is why Chris was saying it makes sense to separate routing > policy and security policy, but I don't love the complexity that that adds. Yes, these are related. With DANE routing is protected by DNSSEC alone, and TLSA records then provide security policy for the target MX. Since TLSA records are cleanly separated from routing they protect the traffic for that MX regardless of whether MX indirection was used or not. In Postfix 3.1 (released in Feb 2016) we by default also make use of DANE TLSA records even when the MX RRset is not signed, provided the MX host's TLSA records are. We don't log that as being as secure as having signed MX RRs, but it does protect against active attacks when the DNS records are not compromised. > I think instead it makes sense to simply say that in the smarthosting case > the policy domain is the smarthost domain. Not sure where "instead" comes from, that's the only plausible interpretation for transport security, but note that when the nexthop domain (smarthost is a special case of nexthop based on local policy) is subject to further MX lookups (example 1), the STS policy is associated with the nexthop domain, not the target MX hosts. -- Viktor.
- [Uta] New proposal: SMTP Strict Transport Security Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Neil Cook
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- [Uta] SMTP Strict Transport Security - reporting Alexey Melnikov
- Re: [Uta] SMTP Strict Transport Security - report… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] SMTP Strict Transport Security - report… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Binu Ramakrishnan
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… ned+uta
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner