IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 06 May 2018 18:41 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12C3A12895E; Sun, 6 May 2018 11:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7L5W43DCIjwG; Sun, 6 May 2018 11:41:16 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B32F126FDC; Sun, 6 May 2018 11:41:16 -0700 (PDT)
Received: from [172.16.59.62] (unknown [66.171.165.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id D39C07A3309; Sun, 6 May 2018 18:41:14 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CANtKdUeK_HpOYsP-CfhF7m7-DYiSX39xTMLxqZw-1UQsn29xyQ@mail.gmail.com>
Date: Sun, 06 May 2018 14:41:12 -0400
Cc: draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>, Leif Johansson <leifj@sunet.se>
Content-Transfer-Encoding: quoted-printable
Message-Id: <78C81C6B-1C5F-4361-A3B7-40D9012E406A@dukhovni.org>
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <CANtKdUeK_HpOYsP-CfhF7m7-DYiSX39xTMLxqZw-1UQsn29xyQ@mail.gmail.com>
To: uta@ietf.org
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/TLYd1lc9QqbxkBpOGjDq7mvTWl0>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2018 18:41:18 -0000


> On May 6, 2018, at 12:55 PM, Daniel Margolis <dmargolis@google.com> wrote:
> 
> 2. Why is the "mx" pattern matched against the SANs and not the MX records themselves? As Viktor noted and I commented briefly in passing, we debated this a *lot* before. One point here is that this is only visible to MTA implementors; sysadmins who mistakenly believe the "mx" field should match the DNS records (which should themselves match the servers' certificates) will end up making their configurations valid per the actual specification. In other words, "match the policy against the SAN" matches a superset of conditions which are valid in the alternative ("match the policy against the MX records and match those records against the certificate"). Personally I would consider this edit to have been a compromise--it was not and is still not my first choice--but, given it is the status quo, I am fairly loath to change it. 
> 
> On these points--especially #2--I continue to defer to the guidance of the chairs on how best to resolve such issues.

After having to revisit this in response to the DISCUSS, I can
crystalize the issue in terms of the following dichotomy:

   * Does MTA-STS secure the connections to the endpoints indicated
     by a domain's MX RRset, without preempting MX-based SMTP routing?

or

   * Does MTA-STS secure the MX RRset, possibly filtering it to at
     at most a set of names cached in the policy, with great care
     to first take care of loop elimination.

My sense is that the first option (current text) is a less invasive
change in SMTP, it changes only how the peer is authenticated.

For example, it "testing" mode, one probably SHOULD NOT trim the MX
RRset based on a "testing" policy.  Or one might support multiple
authentication mechanisms for the peer MX (say key fingerprint as
a fallback of MTA-STS fails).

There are more implications to filtering the RRset then just
the presented-id matching...

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email