Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
Daniel Margolis <dan@af0.net> Sun, 06 May 2018 19:45 UTC
Return-Path: <dan@af0.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E2112D7F7 for <uta@ietfa.amsl.com>; Sun, 6 May 2018 12:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=af0.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0VSFmhTUNjkj for <uta@ietfa.amsl.com>; Sun, 6 May 2018 12:45:00 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2B812D7EA for <uta@ietf.org>; Sun, 6 May 2018 12:44:56 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id n10-v6so12649943wmc.1 for <uta@ietf.org>; Sun, 06 May 2018 12:44:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=af0.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8AfiaLTx+ftRPsj/5rE3a0rM8FvBONIBYM6DxJOzdE8=; b=IumJfAXQA8m7leTO5MGuYRZeOm/RfGqBfW76DStyX7uXMswltgbrdHM6uAmZiQdBi+ sBeURRDMAKIzX/rud94J9Ors4n7DSe2HXVfcME6e8g8xWyFc8aNJf6Sg/rPPnr3iXnjJ 5AZoN9YA9LYkqtETSfZigMFyfPpK4TBqFzK0A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8AfiaLTx+ftRPsj/5rE3a0rM8FvBONIBYM6DxJOzdE8=; b=rvElIvzVEgAXpvD6YLFXOl6yNjG9CfRSuuSoO5I4BO3NpBE3C4zol9hSXvut5hL5D1 aY4AyzWCZ/1zzCEHksABSucUp3V8qwYghWgl3xAVfjQRR5KPZiApfIdScsNw6E8tUMm6 U0JL4RXNYZYuBLkcB9pZAS0qi8DpxAyVBLO6SpL11UrYzweb2IphWVU1bWHzlj0J+GrO NGg0Nsl6GLXjvNlXcHAD3nLAFdCMOgD8dF/v7IA0FIPSxOun0JQwRVmwYbECKAzATaIh 5rICPg9ZoC3BPNPf8dXHo2eShbmG5Zx2vY4CI3lUIQ/px/1a+NVJyru9ESWHeFjVY+0V zoHg==
X-Gm-Message-State: ALQs6tBDPl6E3FgOWl1B2dzuipWg6+V/Qlp2axsf9ZsByc2eK7W9ExHy TxWTe/4MRrGR7aCwWKItYk2Dha0nRrGaVZ/dV1GdLg==
X-Google-Smtp-Source: AB8JxZrogNIvD383mwTKj8BeraCAR7QnbofJ1CB4bdmZ3pY9YQ8voe+KYxyThMstQ5Ccv1lqzID472DtYdWovDYXjsc=
X-Received: by 2002:a50:af05:: with SMTP id g5-v6mr22637044edd.286.1525635895120; Sun, 06 May 2018 12:44:55 -0700 (PDT)
MIME-Version: 1.0
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <CANtKdUeK_HpOYsP-CfhF7m7-DYiSX39xTMLxqZw-1UQsn29xyQ@mail.gmail.com> <78C81C6B-1C5F-4361-A3B7-40D9012E406A@dukhovni.org>
In-Reply-To: <78C81C6B-1C5F-4361-A3B7-40D9012E406A@dukhovni.org>
From: Daniel Margolis <dan@af0.net>
Date: Sun, 06 May 2018 19:44:44 +0000
Message-ID: <CA+S86mWSNwzG0_y_d=yg8Nqf9gxFud+8TAYWHY3Uw6aqn_JKog@mail.gmail.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>, Leif Johansson <leifj@sunet.se>
Content-Type: multipart/alternative; boundary="00000000000095e2b1056b8ec994"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/SCJj3ZQcAE2nE3xERm6mFO6M14Q>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2018 19:45:02 -0000
I don't believe that *pre-filtering *the MX candidate list is the only way to do it. You could leave the loop as-is and just refuse to connect to (i.e. treat as a transient connection failure) any candidate which fails the policy validation. So this is an implementation question; modifying loop pre-filtering is probably riskier than what we might call "connection early termination", but both are compliant with the protocol. The real difference between the two options is not, I think, this implementation question, but that the current protocol technically allows some valid configurations that are invalid in the MX-based alternative--namely, the case where the certificate does not match the MX hostname. That turns out to be fairly common (per https://conferences.sigcomm.org/imc/2015/papers/p27.pdf), though, frankly, I do not know that there's a good reason for admins to deliberately configure a system in such a matter and, as a result, I don't believe there's a strong argument for us preserving that flexibility. I guess the tl;dr as far as I'm concerned is that I think either way really can be done safely, that it's mostly a documentation issue, but I am generally hesitant to change things now if we don't have to. On Sun, May 6, 2018 at 8:41 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > > > On May 6, 2018, at 12:55 PM, Daniel Margolis <dmargolis@google.com> > wrote: > > > > 2. Why is the "mx" pattern matched against the SANs and not the MX > records themselves? As Viktor noted and I commented briefly in passing, we > debated this a *lot* before. One point here is that this is only visible to > MTA implementors; sysadmins who mistakenly believe the "mx" field should > match the DNS records (which should themselves match the servers' > certificates) will end up making their configurations valid per the actual > specification. In other words, "match the policy against the SAN" matches a > superset of conditions which are valid in the alternative ("match the > policy against the MX records and match those records against the > certificate"). Personally I would consider this edit to have been a > compromise--it was not and is still not my first choice--but, given it is > the status quo, I am fairly loath to change it. > > > > On these points--especially #2--I continue to defer to the guidance of > the chairs on how best to resolve such issues. > > After having to revisit this in response to the DISCUSS, I can > crystalize the issue in terms of the following dichotomy: > > * Does MTA-STS secure the connections to the endpoints indicated > by a domain's MX RRset, without preempting MX-based SMTP routing? > > or > > * Does MTA-STS secure the MX RRset, possibly filtering it to at > at most a set of names cached in the policy, with great care > to first take care of loop elimination. > > My sense is that the first option (current text) is a less invasive > change in SMTP, it changes only how the peer is authenticated. > > For example, it "testing" mode, one probably SHOULD NOT trim the MX > RRset based on a "testing" policy. Or one might support multiple > authentication mechanisms for the peer MX (say key fingerprint as > a fallback of MTA-STS fails). > > There are more implications to filtering the RRset then just > the presented-id matching... > > -- > Viktor. > >
- [Uta] Eric Rescorla's Discuss on draft-ietf-uta-m… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Alberto Bertogli
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Alberto Bertogli
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Daniel Margolis