Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
Chris Newman <chris.newman@oracle.com> Wed, 13 April 2016 17:44 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B8ED12DFDB for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 10:44:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level:
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yESi-73aaTB for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 10:44:12 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF0112DE22 for <uta@ietf.org>; Wed, 13 Apr 2016 10:44:12 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u3DHiAg1021927 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 13 Apr 2016 17:44:11 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u3DHiAcM022941; Wed, 13 Apr 2016 17:44:10 GMT
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_qKG0M5fnGq2Gl+514E1Sng)"
Received: from jcaps-rd2.us.oracle.com (jcaps-rd2.us.oracle.com [10.145.239.107]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 8.0.0.0.0 64bit (built Mar 19 2015)) with ESMTPSA id <0O5L00F362KKTT00@gotmail.us.oracle.com>; Wed, 13 Apr 2016 10:43:46 -0700 (PDT)
Date: Wed, 13 Apr 2016 10:43:31 -0700
From: Chris Newman <chris.newman@oracle.com>
To: Daniel Margolis <dmargolis@google.com>, uta@ietf.org
Message-id: <etPan.570e8549.3d8c14b4.1614d@jcaps-rd2.us.oracle.com>
In-reply-to: <CANtKdUf0kN5aOmX0-NsyQXz_+PRGfaXa37DFZoCX3FqdYh5CpA@mail.gmail.com>
References: <570C0CD2.9030401@cs.tcd.ie> <20160411212128.GA26423@mournblade.imrryr.org> <CANtKdUekXNkVvsfq0UjCiaaPVBgoVGfrfnYUrdoOf0EegXMuPg@mail.gmail.com> <20160413014304.GB26423@mournblade.imrryr.org> <CANtKdUf0kN5aOmX0-NsyQXz_+PRGfaXa37DFZoCX3FqdYh5CpA@mail.gmail.com>
X-Mailer: Airmail (351)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/QD1mopF45Gnfcfz7w7QyoLCRhtE>
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 17:44:15 -0000
DANE is merely one method of validating a certificate, there can also be SMTP policy orthogonal to DANE. Take for example, DEEP’s “tls11” and “tls12” directives. Those specify a minimum acceptable version of TLS for future connections. Although we haven’t debated yet whether to include those in SMTP relay policy, I think it would make sense to include those directives, particularly given the problems we’ve seen with old versions of TLS causing real security problems. And there may be future policy directives we want that are even more compelling. So the question is where to put SMTP relay security policy that is orthogonal to DANE. Seems like wherever we choose to put the policy for SMTP relay STS (whether in a DNSSEC-protected DNS record, HTTPS well-known or SMTP+STARTTLS), that’s where we should always look for SMTP relay policy. - Chris On April 12, 2016 at 17:48:25 , Daniel Margolis (dmargolis@google.com) wrote: What's the complexity you're worried about? Is it mainly that there's another switch to flip incorrectly (i.e. inadvertent misconfiguration, at a greater risk due to the presence of more configurations) or the risk of malicious DoS? I think Stephen laid out the trade-offs fairly well. I can see the argument for telling recipients that if they already publish a DANE record they're probably fine and shouldn't really need an STS policy as well. But a "must" seems less helpful to me here; senders who have some external limitation that prevents them from implementing DNSSEC then must not implement STS? I'd be worried that some larger deployments might have trouble with that. On Wed, Apr 13, 2016 at 3:43 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: On Tue, Apr 12, 2016 at 06:52:31PM +0200, Daniel Margolis wrote: > I'm not sure if I'm being stupid here, but what does it mean for STS to be > "trumped" by DANE (or the reverse)? Do you mean that if the recipient > domain/MX has both STS and DANE you will *only* validate the DANE policy? Correct. Trying to enforce both is too complex, and needlessly increases the risk of delivery problems. > If we instead said that senders who validate STS must honor STS and senders > who validate DANE must honor DANE, is there a conflict? That language is either tautological, or unreasonable, if intended to imply that systems capable of both must be willing to apply both concurrently. > I would presume that if there is either a DANE failure or an STS failure > senders who validate both will treat it as a failure. Introducing a concept > of priority strikes me as unnecessary. What am I missing? I have no plans to support concurrent evaluation of potentially conflicting policies. DANE is more robust than STS, given a DANE policy I see no reason to also consider STS policy. Of course an administrator will be able to choose which policy applies to a given nexthop, but not enforcement of both. -- Viktor. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- [Uta] "webby" STS and DANE/DNSSEC co-existence Stephen Farrell
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Mark Risher
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Chris Newman
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Binu Ramakrishnan
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Eric Rescorla
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Chris Newman
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Chris Newman
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence =JeffH
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Stephen Farrell
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Leif Johansson