IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 21 February 2019 22:30 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26827131260; Thu, 21 Feb 2019 14:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5ltlZM2IPOO; Thu, 21 Feb 2019 14:30:40 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79D31131256; Thu, 21 Feb 2019 14:30:39 -0800 (PST)
Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 22C4F2B98B2; Thu, 21 Feb 2019 17:30:38 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CABcZeBMw_yo8GwAN0jF+jLMfRWh6BsG_0jkxXF6Y-x+JUEfOnQ@mail.gmail.com>
Date: Thu, 21 Feb 2019 17:30:36 -0500
Cc: uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-smtp-require-tls@ietf.org
Reply-To: The IESG <iesg@ietf.org>, uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-smtp-require-tls@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <F5522FD3-D588-48D6-AAD8-D3BBB8D82645@dukhovni.org>
References: <155076162945.8595.2671476533659571699.idtracker@ietfa.amsl.com> <9964642F-59A8-41E0-B892-509F0ADEF8F7@dukhovni.org> <CABcZeBPZWjA4Pc0yEwb7DNmE4esxwAqn=0Czc=L1G-qzb4cV6w@mail.gmail.com> <20190221204259.GZ916@straasha.imrryr.org> <CABcZeBMw_yo8GwAN0jF+jLMfRWh6BsG_0jkxXF6Y-x+JUEfOnQ@mail.gmail.com>
To: The IESG <iesg@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/RDsCJEMkJ0IgJYEMnr0jUWfW38Y>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 22:30:42 -0000

> On Feb 21, 2019, at 3:52 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> I am not aware of any such right.  The receiving system is announcing
> a capability, and the sending system does its best to achieve the
> highest common security level.
> 
> No, it's saying "don't deliver this at all, if you can't do this"

That may be true of HSTS, but is certainly not true of DANE or MTA-STS.
Both specify how to deliver (more) securely *if* you choose to enable
the mechanism for the destination in question or by default.  Neither
mechanism is mandated.  Local policy always comes first.  One might
for example want to reach the postmaster of a broken site, or send
a mundane time-sensitive message.

The title of RFC7672 is:

   SMTP Security via Opportunistic DNS-Based Authentication of Named
         Entities (DANE) Transport Layer Security (TLS)

the word "opportunistic" is not an accident, the mechanism is not
and should not be a mandate from the receiving system.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email