IETF Logo Mail Archive

Re: [Uta] "webby" STS and DANE/DNSSEC co-existence

Chris Newman <chris.newman@oracle.com> Wed, 13 April 2016 17:44 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B8ED12DFDB for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 10:44:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level:
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yESi-73aaTB for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 10:44:12 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF0112DE22 for <uta@ietf.org>; Wed, 13 Apr 2016 10:44:12 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u3DHiAg1021927 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 13 Apr 2016 17:44:11 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u3DHiAcM022941; Wed, 13 Apr 2016 17:44:10 GMT
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_qKG0M5fnGq2Gl+514E1Sng)"
Received: from jcaps-rd2.us.oracle.com (jcaps-rd2.us.oracle.com [10.145.239.107]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 8.0.0.0.0 64bit (built Mar 19 2015)) with ESMTPSA id <0O5L00F362KKTT00@gotmail.us.oracle.com>; Wed, 13 Apr 2016 10:43:46 -0700 (PDT)
Date: Wed, 13 Apr 2016 10:43:31 -0700
From: Chris Newman <chris.newman@oracle.com>
To: Daniel Margolis <dmargolis@google.com>, uta@ietf.org
Message-id: <etPan.570e8549.3d8c14b4.1614d@jcaps-rd2.us.oracle.com>
In-reply-to: <CANtKdUf0kN5aOmX0-NsyQXz_+PRGfaXa37DFZoCX3FqdYh5CpA@mail.gmail.com>
References: <570C0CD2.9030401@cs.tcd.ie> <20160411212128.GA26423@mournblade.imrryr.org> <CANtKdUekXNkVvsfq0UjCiaaPVBgoVGfrfnYUrdoOf0EegXMuPg@mail.gmail.com> <20160413014304.GB26423@mournblade.imrryr.org> <CANtKdUf0kN5aOmX0-NsyQXz_+PRGfaXa37DFZoCX3FqdYh5CpA@mail.gmail.com>
X-Mailer: Airmail (351)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/QD1mopF45Gnfcfz7w7QyoLCRhtE>
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 17:44:15 -0000

DANE is merely one method of validating a certificate, there can also be SMTP policy orthogonal to DANE. Take for example, DEEP’s “tls11” and “tls12” directives. Those specify a minimum acceptable version of TLS for future connections. Although we haven’t debated yet whether to include those in SMTP relay policy, I think it would make sense to include those directives, particularly given the problems we’ve seen with old versions of TLS causing real security problems. And there may be future policy directives we want that are even more compelling. So the question is where to put SMTP relay security policy that is orthogonal to DANE. Seems like wherever we choose to put the policy for SMTP relay STS (whether in a DNSSEC-protected DNS record, HTTPS well-known or SMTP+STARTTLS), that’s where we should always look for SMTP relay policy.

		- Chris
On April 12, 2016 at 17:48:25 , Daniel Margolis (dmargolis@google.com) wrote:

What's the complexity you're worried about? Is it mainly that there's another switch to flip incorrectly (i.e. inadvertent misconfiguration, at a greater risk due to the presence of more configurations) or the risk of malicious DoS? 

I think Stephen laid out the trade-offs fairly well. I can see the argument for telling recipients that if they already publish a DANE record they're probably fine and shouldn't really need an STS policy as well. But a "must" seems less helpful to me here; senders who have some external limitation that prevents them from implementing DNSSEC then must not implement STS? I'd be worried that some larger deployments might have trouble with that. 

On Wed, Apr 13, 2016 at 3:43 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
On Tue, Apr 12, 2016 at 06:52:31PM +0200, Daniel Margolis wrote:

> I'm not sure if I'm being stupid here, but what does it mean for STS to be
> "trumped" by DANE (or the reverse)? Do you mean that if the recipient
> domain/MX has both STS and DANE you will *only* validate the DANE policy?

Correct.  Trying to enforce both is too complex, and needlessly
increases the risk of delivery problems.

> If we instead said that senders who validate STS must honor STS and senders
> who validate DANE must honor DANE, is there a conflict?

That language is either tautological, or unreasonable, if intended
to imply that systems capable of both must be willing to apply both
concurrently.

> I would presume that if there is either a DANE failure or an STS failure
> senders who validate both will treat it as a failure. Introducing a concept
> of priority strikes me as unnecessary. What am I missing?

I have no plans to support concurrent evaluation of potentially
conflicting policies.  DANE is more robust than STS, given a DANE
policy I see no reason to also consider STS policy.

Of course an administrator will be able to choose which policy
applies to a given nexthop, but not enforcement of both.

--
        Viktor.

_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta

_______________________________________________  
Uta mailing list  
Uta@ietf.org  
https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email