IETF Logo Mail Archive

Re: [Uta] "webby" STS and DANE/DNSSEC co-existence

Daniel Margolis <dmargolis@google.com> Thu, 14 April 2016 08:58 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFCE512E046 for <uta@ietfa.amsl.com>; Thu, 14 Apr 2016 01:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.696
X-Spam-Level:
X-Spam-Status: No, score=-3.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id seFZDE2GLf0I for <uta@ietfa.amsl.com>; Thu, 14 Apr 2016 01:58:34 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B1512E023 for <uta@ietf.org>; Thu, 14 Apr 2016 01:58:33 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id u185so97225023iod.3 for <uta@ietf.org>; Thu, 14 Apr 2016 01:58:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=od4anPpGJBrddXyqmjTdA3ag6fCXmiKX5tlrUm9G/8w=; b=UfzwtpilxahcuXfaQgjUKhH6bkKFfgWMpLbafTr8XrJx3K3l0ePLl3jF5t2EPYKq71 djp1sgFVtv4ca69xEJVmTRacUwRSEUCHbyIT4ImQBRlJwxbsG49IqCv5J+3JulsASon9 i7A/K5mTE40zpN1Su64T0Fq4bJGHPnrD3F10I8tAz1MlMtPd6EQj37z31830Aii/W/bv ri+F6Uxbuo3p2qvkSU6O7Ulv0EfKsaxbVuJWIiG/GtVFoBsPeSOBpfgdooEUs8TaDTX9 cxUnXB7nL/U2BeGlIAPPlf+FfUvSxXLt/I6XuCC9gYaGQbUZhnmeSwAG3tVf/TfLwsZ/ quag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=od4anPpGJBrddXyqmjTdA3ag6fCXmiKX5tlrUm9G/8w=; b=WDOrAHow23WQ0INqEkthVZTd4Sbu+rbgDB4OcSqn7B7DJQV95ruOHWElJt2skV0BnA jNpYPQVLv1773Jb2gbVoFTFnxr8jx6t4jEEjeYelQIs+2cw+sxyIAmDuBniYtwDdcxd4 KsnuItVPjnOPNNEfM9QkJ0uFkgsV8y11BjmaoYsGnay79Wzsj0wfHM02jLbTCF9iP+uy RZBnO+56SLShXmNviqx6k15o4mZfhFYXo3uf1QnzkrF12sAUegExjsQbfBIXRy5mCkyG s1n3mwjsK+KMpCg8z5uyLTo2dlURk5fX7NqWkoKNn+W+kqYpn4Q4pM174vGudTW1isF5 /Wjw==
X-Gm-Message-State: AOPr4FV90T7G0+3SzkOZopyZbnGsqy58OYueO6gmRQpruf4uj/cP+pWrS57Ej3qe21TM7npCf0JRqIA5OUHBdMrW
MIME-Version: 1.0
X-Received: by 10.107.170.216 with SMTP id g85mr14239923ioj.58.1460624313130; Thu, 14 Apr 2016 01:58:33 -0700 (PDT)
Received: by 10.64.91.226 with HTTP; Thu, 14 Apr 2016 01:58:32 -0700 (PDT)
In-Reply-To: <20160414063807.GB17212@mournblade.imrryr.org>
References: <20160413191405.GF26423@mournblade.imrryr.org> <542002133.1160.1460581138072.JavaMail.yahoo@mail.yahoo.com> <20160414063807.GB17212@mournblade.imrryr.org>
Date: Thu, 14 Apr 2016 10:58:32 +0200
Message-ID: <CANtKdUdT+Lf89-EiJQ9rCvv=ph+z2AJEjSM7KUDcs85ztgRPEw@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="001a11425ab856147c05306e195b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/W-s85wHs_n6HAfRLlCl0tlNqffk>
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 08:58:36 -0000

On Thu, Apr 14, 2016 at 8:38 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> If the STS spec is just for email between Yahoo and Gmail, sure,
> go for it.  Less work for me, I won't need to implement yet another
> transport security mechanism.
>
> A more reasonably modest STS would stay well clear of prescribing
> such fine details.  Once the policy lookup requires WebPKI support,
> pinning MX host certs is fragile over-engineering.
>

To be clear, HPKP allows pinning a root or intermediate cert, not just the
host cert. I think pinning someone in the cert chain and not the host cert
is generally preferable (in terms of safety and ease of certificate
rollover).

But in terms of broader feedback, I think you're making a really important
point here (and up-thread) about (config) usability and security tradeoffs.
For now, simply getting CA *or* DNSSEC based signing of security policies
is a huge benefit for MTA-to-MTA SMTP. In a future where CA or registrar
malfeasance is the weakest link, we know the next steps--key pinning, cert
transparency, and similar. But that would be a future where we've already
vastly improved the state of the art from most deployments today. ;)

Dan

v2.23.0 | Report a Bug | By Email