Re: [Uta] reporting, was CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
Daniel Margolis <dmargolis@google.com> Sun, 08 May 2016 17:24 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BB0C12D17A for <uta@ietfa.amsl.com>; Sun, 8 May 2016 10:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.696
X-Spam-Level:
X-Spam-Status: No, score=-3.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Spdgt-tU_qXc for <uta@ietfa.amsl.com>; Sun, 8 May 2016 10:24:38 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F17612D179 for <uta@ietf.org>; Sun, 8 May 2016 10:24:38 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id 190so154668094iow.1 for <uta@ietf.org>; Sun, 08 May 2016 10:24:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=fhLbqtA62Vd7VlQuU307T6mND7DRchWLmQZpbKhJZgM=; b=f6iZZvIdckbAkU71mmUTtmjFyzeReeFyh+nyuW2bQvulkyVdmgEowHiLd86Pt54P02 lVuGJY/w5m7F63vxtXh2q8fDqGKkPEfdX32qTzOquWqtmlEJ3buGwRi5u69sKExfkqCS G3TgKt6+hsG201Txk4upMotSuApupYZz3wOo03NgA0TYdF86ZSYZ5+fkSueVAgVDOHDV flGGobZc9Imt/jzEhqh6coyJOMm4dionLaNrbg/b5H80HQCbJCbFudgJ36Yj0jLmhEzI Zm4/DkSiZD9zxdkL6rmJObA0UiyC+Nj7liLZqj3cMNG3nB+7Ba0J4J5ethi3ZJIFT+d+ u5sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=fhLbqtA62Vd7VlQuU307T6mND7DRchWLmQZpbKhJZgM=; b=KIziBYe2XgD7bFPof5H9pJN/HwX/lY1+xfYTJCzZFBwO045DSjmrOPMDEIZauGdfte 2BDg5B3LQ/NeOg0f2V+NYtJwHC9nNjeD0zKDjFTdFv9P0l6ZIWwO3Z6Yzt/PTC4+AVy4 xtsxPaI2/OeSuKn7oU6kJIK7gGh/2nduOjVzYlnd+vub0aeANu9UMG4NRSr2Z4hC7cs6 Djjs0/bBqnglHgYzTSmK2BKTnqkuMBPZe5DX1/19awNKTd9s50/4tjuBoI/0MRFXUuVU aPLzgTmX6wDPTlOKadbymS+kcJ2jq94IxQ8yJUgYHXoS48VjCqwdBhV7rxkEqGS7lzSP AGgQ==
X-Gm-Message-State: AOPr4FVq00mJ6U9kRx1z/DOWsHGsen36YlXVwZzLcL0lagYDyv+VDHmPkqaNeiCCMlLacKf6TObvNkB/+BWG2WMa
MIME-Version: 1.0
X-Received: by 10.107.170.207 with SMTP id g76mr32745539ioj.58.1462728277568; Sun, 08 May 2016 10:24:37 -0700 (PDT)
Received: by 10.64.91.227 with HTTP; Sun, 8 May 2016 10:24:37 -0700 (PDT)
In-Reply-To: <20160507014321.GN3300@mournblade.imrryr.org>
References: <20160506235647.GL3300@mournblade.imrryr.org> <20160507010844.32784.qmail@ary.lan> <20160507014321.GN3300@mournblade.imrryr.org>
Date: Sun, 08 May 2016 10:24:37 -0700
Message-ID: <CANtKdUc7N7GWXYuHSJBfeRaoJ94SOE5VZmXqPgSTiFfT+9+=gg@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="001a114159e063ad6e053257f718"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/UZ1ELWMpqVauw6cUUGJoC9DU5fs>
Subject: Re: [Uta] reporting, was CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 May 2016 17:24:41 -0000
Sorry, everyone. I've been out of the office the last few days on holiday and haven't had a chance to catch up on the whole thread. Regarding big providers' ability to monitor for misconfigurations, I think we should not assume they will always catch errors. Especially in the early stages of deployment, as Viktor noted, a small percentage of dropped mail could go unnoticed, so having a means to accurately report failures and their causes strikes me as valuable to everyone. Anyway, I'm not really seeing an argument that only certain classes of mail hosts would benefit from this, and of course that's not anyone's goal. It sounds to me from the tail end of this thread that the main argument here is contrasting out of band reporting (via HTTP) with SMTP-based reporting in a separate message and in-band reporting via some SMTP status indicator. Is that right? If so, can I guess at the pros and cons (non-exausively) as something like: - HTTP pro: works with hosted mail, works with outsourcing reporting (a la dmarcian), works even if the only MX for a domain is down con: requires a separate HTTP endpoint (that can handle POST or PUT, which is more than STS requires) - SMTP-separate-message pro: similar to DMARC, can be outsourced, requires no new infrastructure con: requires senders to not validate STS/DANE or requires recipients to have a different dedicated domain/outsourced recipient; potentially fails in the same way as the original message - SMTP-in-band pro: doesn't require aggregation, allows indication at a fine granularity ("this transaction failed"), no extra infrastructure required con: doesn't provide aggregation, in-band means if the MX is really misconfigured or the sender never talks to the right MX there's no way to get reports across These don't strike me as mutually exclusive. Having an in-band indicator of why the sender terminated the connection (like "STARTTLS wasn't supported and I require it") seems useful. Having out-of-band aggregation also seems very useful. In particular, one of the methods by which we would hope an *intermittent MITM* would be revealed is that reports of the occasional STARTTLS failure would indicate exactly this. If reports can only be sent *during the MITM to the MITM'ed MX*, this property is lost, is it not? So I believe we need to keep some method for aggregate reporting; I don't, however, think the option for aggregate reporting precludes more verbose in-band indicators of why a connection is terminated. (I will sit down and read the rest of the thread in the next day or two, so if I've missed something, please be patient.) Dan On Fri, May 6, 2016 at 6:43 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Sat, May 07, 2016 at 01:08:44AM -0000, John Levine wrote: > > > > It is the long tail of much smaller domains where SMTP transport > security needs > > > an effective alerting channel. > > > > So they can point the reports at some place like dmarcian.com, which > > does the analysis for small mail systems for free. Once again, this > > is not a new problem, and practical solutions are well known to people > > who take a few seconds to look for them. > > Most of the small domain operators will not do that. And this leaks > sensitive data. > > If you can't send DMARC reports to some domain, no big deal nobody > cares. There's little operational impact. If their certs expire, > and they don't notice, everybody who's trying to send them email > (and their postmaster staff getting support calls) feels the pain. > > I am not buying the outsourced processing model as sufficiently > broadly applicable. Why are you so opposed to recognizing that > perhaps we have two different use-cases to address, and might well > address both? I am not denying your use case, just saying it is > less urgent based on operational experience of resolving TLS issues > in forward delivery. > > As for the authors of the draft, they should not be focused on > *just* the large provider problem if this is to be broadly applicable > technology. If their part of the elephant requires aggregate report > flows, so be it. Not everyone will send them such reports, they > require a bunch of heavy-lifting. A simple in-band status indication > stands a better chance of being enabled by default. > > [ I am really hoping to not hear a counter-argument, I don't think > I am saying anything radically controversial, but I keep being > surprised ... ] > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- Re: [Uta] draft-brotman-mta-sts/ Stephen Farrell
- Re: [Uta] draft-brotman-smtp-tlsrpt Viktor Dukhovni
- [Uta] Updated SMTP STS Draft Brotman, Alexander
- Re: [Uta] Updated SMTP STS Draft Leif Johansson
- Re: [Uta] Updated SMTP STS Draft Leif Johansson
- Re: [Uta] Updated SMTP STS Draft Mark Risher
- Re: [Uta] Updated SMTP STS Draft Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] draft-brotman-smtp-tlsrpt Brotman, Alexander
- Re: [Uta] Updated SMTP STS Draft Aaron Zauner
- Re: [Uta] Updated SMTP STS Draft John Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] Updated SMTP STS Draft Jim Fenton
- Re: [Uta] Updated SMTP STS Draft John Levine
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] Updated SMTP STS Draft Daniel Margolis
- Re: [Uta] draft-brotman-smtp-tlsrpt John Levine
- Re: [Uta] draft-brotman-mta-sts/ John R Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-smtp-tlsrpt Viktor Dukhovni
- Re: [Uta] draft-brotman-smtp-tlsrpt John Levine
- Re: [Uta] draft-brotman-mta-sts/ Brotman, Alexander
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Neil Cook
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ ned+uta
- Re: [Uta] Updated SMTP STS Draft Leif Johansson
- Re: [Uta] Updated SMTP STS Draft John Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Mark Risher
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John R Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Binu Ramakrishnan
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] Updated SMTP STS Draft Mark Risher
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ Mark Risher
- [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS D… Chris Newman
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] special hostnames, was draft-brotman-mt… John Levine
- Re: [Uta] special hostnames, was draft-brotman-mt… Viktor Dukhovni
- Re: [Uta] special hostnames, was draft-brotman-mt… John Levine
- Re: [Uta] special hostnames, was draft-brotman-mt… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] Updated SMTP STS Draft Alexey Melnikov
- Re: [Uta] draft-brotman-smtp-tlsrpt Leif Johansson
- Re: [Uta] draft-brotman-smtp-tlsrpt Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] draft-brotman-smtp-tlsrpt Kurt Andersen (b)
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] draft-brotman-smtp-tlsrpt Orit Levin
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Binu Ramakrishnan
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Orit Levin
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Orit Levin
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Daniel Margolis
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Daniel Margolis
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Neil Cook
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Chris Newman
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Daniel Margolis
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Chris Newman
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] DNSSEC or the lack thereof, was reporti… John Levine
- Re: [Uta] DNSSEC or the lack thereof, was reporti… Viktor Dukhovni
- Re: [Uta] DNSSEC or the lack thereof, was reporti… John Levine
- Re: [Uta] DNSSEC or the lack thereof, was reporti… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Jim Fenton
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Sean Leonard