IETF Logo Mail Archive

Re: [Uta] Revised wording on security consideration re TLS-Required

"Brotman, Alexander" <Alexander_Brotman@comcast.com> Thu, 28 March 2019 13:52 UTC

Return-Path: <Alexander_Brotman@comcast.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DC9A120428 for <uta@ietfa.amsl.com>; Thu, 28 Mar 2019 06:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQpuBm7CaZnJ for <uta@ietfa.amsl.com>; Thu, 28 Mar 2019 06:52:09 -0700 (PDT)
Received: from copdcmhout01.cable.comcast.com (copdcmhout01.cable.comcast.com [162.150.44.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B0A6120453 for <uta@ietf.org>; Thu, 28 Mar 2019 06:52:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190220p; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1553781121; x=2417694721; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TnKyJEK3tDpI2LCESNEcqwinOhO4lF5Woneecabar1w=; b=sqQ5jVhzXZIxpSozBqx69VnAU13ZeIYcY/uLFss8niOR54OOF1Sqn2EMuS9JMsuB XiV+OcMpre8Z1TOTsqql2SkoTGbITX1s5hf4kD4OilY4z4Wxh/s6Bd95cLsBpBi0 lYNrFN+8UNPmqsQ5PqgzgNdJ1pHYWiboDGDubtY843CyZhqIJyCXDpGEYQQeTAFt qSz3X0Zp9uZGcm2N8VwIUc0VpLFBG4rWSpzGcSPCW0XbSZy7NehRnEaVywDXramC DfSwU/zHlzDCnepOPZJ0hf5B6/zzI6yV1OnYWh9vIiR0+e8wGiNeTYnFB5eyWn/r iWoSxdy4Ap1S+Q/ee89b+Dk2XwBsc+V2ybnBQEBGPvijpoojWB8aLlUzae+OuBrQ dHO4FFPpuB0A8HrfGMcy4KCeNr5/aCgpBK8LUYYNvWycDybN7JhGmUf+FbSKNSAq va3MrRlSHQANt3buCbgeUn9OZsRQpfal2BLRkkvlfnUxUJDnlCi+NbR+Q0JfV4G3 MSlZVFJnmz+my8iN2N2WyqeRftLUhZACV8s4cgauthXMA5V8kJXqYgIZwAF4QJ9I LrUj7qYRWjGdirZVKelWEvW27kwir/HNGIzp8kLNoX4YCJ+Tp7+iQS3cAJZ1Pmjh VAaWJgLkHgV6ps9qLCZaQC9z4vFnaX6gflaskE3mY9o=;
X-AuditID: a2962c47-fa3ff7000001abb1-bf-5c9cd17927ac
Received: from COPDCEX20.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by copdcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id 59.04.43953.971DC9C5; Thu, 28 Mar 2019 07:51:54 -0600 (MDT)
Received: from COPDCEX19.cable.comcast.com (147.191.124.150) by COPDCEX20.cable.comcast.com (147.191.124.151) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Mar 2019 07:51:56 -0600
Received: from COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380]) by COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380%19]) with mapi id 15.00.1473.003; Thu, 28 Mar 2019 07:51:56 -0600
From: "Brotman, Alexander" <Alexander_Brotman@comcast.com>
To: Jim Fenton <fenton@bluepopcorn.net>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Revised wording on security consideration re TLS-Required
Thread-Index: AQHU5HftNpKdyoxcTUaHdIKLNlEZOqYhEZww
Date: Thu, 28 Mar 2019 13:51:55 +0000
Message-ID: <852f39fbd6cf467cac60cecfe6d5a247@COPDCEX19.cable.comcast.com>
References: <1a996b24-e01d-9f40-ad2d-08d44f789bd4@bluepopcorn.net>
In-Reply-To: <1a996b24-e01d-9f40-ad2d-08d44f789bd4@bluepopcorn.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [96.114.156.9]
Content-Type: multipart/alternative; boundary="_000_852f39fbd6cf467cac60cecfe6d5a247COPDCEX19cablecomcastco_"
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrIIsWRmVeSWpSXmKPExsWSUDRnsm7VxTkxBlsfMVp865zFbHHqaDOj A5PH01WvmDyWLPnJFMAUFW5TlFpcmpSbWaJQnFpUlpmcaquUnFisZMelgAGASnNSE4tTHZNL MvPzivUx1NjowwyzSwjPePH5DHvBKo+K53f72RsYV7h1MXJySAiYSPxpv8/WxcjFISSwk0li 94ILTBDOIUaJNw93QjknGSW+7JnPBNLCJmAl8fZ/OzOILSLgJjFv4nN2EFtYwEdi0tQ3rBBx X4n57xYB1XAA2UYSh1bbg4RZBFQlXs65ClbCK+AlsfTxITBbSMBJ4tv7KWDjOQWcJa7dOA4W ZxQQk/h+ag1YnFlAXOLWE4gTJAQEJJbsOc8MYYtKvHz8jxXCNpDYunQfC4StIPH+3yk2iN58 iWt797FB7BWUODnzCVSNuMThIztYJzCKzUKyYhaSlllIWmYBfcMsoCmxfpc+RImixJTuh+wQ toZE65y57MjiCxjZVzHyGpoZ6RmaGuiZmOiZG25iBCaERdN03Hcwfjgfe4hRgINRiYfX+MSc GCHWxLLiylxgoHMwK4nw3loJFOJNSaysSi3Kjy8qzUktPsQozcGiJM4b92ZGjJBAemJJanZq akFqEUyWiYNTqoFx9hH2dceLK5wN1FJ49M12PFicrmoY5l3h9PHpq5MVG57sPFJ3x2PHmUjv E+v5ctQczPx7QrgfKWy7O9OqKUhqg8AJpojlP/fnLtDJ2XLgPU81U5Dhs4fd1qIPTmt3/jr4 ZkGf2YqeqfX3fiX9e6KR66HqWSEm84nple2WgryHN5NXf/fVDeNRYinOSDTUYi4qTgQAAKsb ngQDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/R-SZWoY74B3U2vcrBiYSe5zMtvM>
Subject: Re: [Uta] Revised wording on security consideration re TLS-Required
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 13:52:11 -0000

Jim,

I’m not sure how much of an impact this might have, but should there be a reference to TLSRPT?  Either not to be counted or to explain the lack of TLS based on “TLS-Required: no” being set?

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: Uta <uta-bounces@ietf.org> On Behalf Of Jim Fenton
Sent: Wednesday, March 27, 2019 4:34 AM
To: uta@ietf.org
Subject: [Uta] Revised wording on security consideration re TLS-Required


Thanks for the feedback on my proposed language for a new security consideration regarding conflicts between the TLS-Required header field and DANE and MTA-STS recipient policies. Here's another stab at it:

=====

8.4. Policy Conflicts



In some cases, the use of the TLS-Required header field may conflict with a recipient domain policy expressed through the DANE [RFC7672] or MTA-STS [RFC8461] protocols. Although these protocols encourage the use of TLS transport by advertising availability of TLS, the use of ”TLS-Required: No” header field represents an explicit decision on the part of the sender not to require the use of TLS, such as to overcome a configuration error. The recipient domain has the ultimate ability to require TLS by not accepting messages when STARTTLS has not been negotiated; otherwise, "TLS-Required: No" is effectively directing the client MTA to behave as if it does not support DANE nor MTA-STS.



=====



Comments welcome.



-Jim

v2.23.0 | Report a Bug | By Email