Re: [Uta] Expired/sold domains with a long max_age policy
Daniel Margolis <dmargolis@google.com> Wed, 16 August 2017 08:07 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35AB9132518 for <uta@ietfa.amsl.com>; Wed, 16 Aug 2017 01:07:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJF4k7S5aKFr for <uta@ietfa.amsl.com>; Wed, 16 Aug 2017 01:07:30 -0700 (PDT)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A3CF1321A8 for <uta@ietf.org>; Wed, 16 Aug 2017 01:07:30 -0700 (PDT)
Received: by mail-it0-x233.google.com with SMTP id 76so14202809ith.0 for <uta@ietf.org>; Wed, 16 Aug 2017 01:07:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Ya8ApYlgYRQsGpojXHwOa9Wh1Ncc+HX/zoMA/CHsEhM=; b=HN0j5sf6rAEAViK33/VxUsNMOWwTn36LtCj9nrj424URzw50ah6KTifzh1abXnCjCL rumwezuDOHFD8qO8H3ueA1T8ctCI96WZ6wCudKZfW+CjPqWrc+tw9yTf7zwyMRx5kls9 4ElxqboRHwlelonZKb0oI2i6sjsvgJBtFUapjOahVma/so+quuQF/tan+2LzyCzYqhrQ thvdblikzSe5DzKC9nC3Uti5lE/RvyebyhTeoER7jLmQ+rWCer/Pq91n9NpDUiuLWpOj PCfx1g8yEBoxag+zeFRI1A9+Ocf7TaN2VjROZedYLgAwNaXq82r1a6OjapmBmLmAMehC 3UBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Ya8ApYlgYRQsGpojXHwOa9Wh1Ncc+HX/zoMA/CHsEhM=; b=c9NCfOrkCDGVQSykM4RW/HC37NL9yT2Czcz476i2L4vq+5fXCBzvxzmHd/qi6imQ3F X4gZ5UmzwLMTJHTqVYVyt5keu+FZx0BDXaBRpqI4FLyYQluFSAwPEb2i/XVZSHpvWeTG D+UTA24SRab1We+6earvE8k5nKDx+3Ngva651XqaJNQuD8zSb1gMrvCC8y79/nss00gf qx2xWEsg77Qr2547xxjvzJ3E1g7kbUrRAqAxiM5vpg3tLrrTlngWEfO0wkfbF9Qr43o6 wmdixUPdYh7wNlFsmpl81v9X57+9wVR5hbJBGN8PO1pw+kltRtbYcw4xCi7ZItZC7Lcf L2vQ==
X-Gm-Message-State: AHYfb5hHgNlzYocgw3/2bu7kf9o0JPEuzJtXkvOxlFWsNwodXuRPC0vq H2KOP16bp3NigCGe2u+s/6kqO3TMnEhufKY=
X-Received: by 10.36.211.201 with SMTP id n192mr1204608itg.96.1502870849337; Wed, 16 Aug 2017 01:07:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.133.159 with HTTP; Wed, 16 Aug 2017 01:07:28 -0700 (PDT)
In-Reply-To: <20170816060648.GA8146@mournblade.imrryr.org>
References: <CAHZoaj5oZgi3x5_duzW=jzYD_iio8u-r4-pQr2nYJeHTfUOs8Q@mail.gmail.com> <20170816060648.GA8146@mournblade.imrryr.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Wed, 16 Aug 2017 10:07:28 +0200
Message-ID: <CANtKdUfJj92EsvZdxhtZynz3AgyHUBEkJ-dxMZtGJTDcqqSPnw@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a11499ff625f40c0556da6308"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/XpfUYHvIEbLhXwV8-WKhn21FsPk>
Subject: Re: [Uta] Expired/sold domains with a long max_age policy
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 08:07:33 -0000
I'm OK with a one-year SHOULD NOT. Realistically, though, that year could still be painful; as Viktor said, there's always the opt-out option (but, yes, you have to get a certificate, set up DNS, etc). I would liken this more to HPKP than HSTS; HPKP, unlike STS, has (as far as I can tell) no workable opt-out mechanism; if someone pins a leaf certificate that the new domain owner doesn't have, the new domain owner is screwed until/unless the policy expires. I'm not saying that's in any way a mitigation of STS having some similar issues, though I'm also not personally aware of HPKP being abused like so in the wild. (Then again, HPKP adoption appears to be fairly minimal, so this has less chance of happening by accident.) On Wed, Aug 16, 2017 at 8:06 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Wed, Aug 16, 2017 at 02:39:43AM +0200, Ayke van Laethem wrote: > > > I see a potential issue with very long max_age rules. Consider that > > the domain name example.org is sold to someone else, but the previous > > max_age in the policy was set at 10 years and various hosts (e.g. > > gmail.com) have sent email to example.org and thus have a cached > > policy. > > > > So if the new owner of example.org decides to add email, they *have > > to* also implement STARTTLS with the given MX hosts in the previous > > policy (which will often be impossible due to moving to a different > > email provider), or publish a new MTA-STS policy. > > If they take over the domain, they presumably also take over DNS. > If they don't intent to implement STS, they will not publish the > TXT record, which is a change in the TXT record, and thus any cached > policy should trigger a refresh attempt. > > For that refresh attempt to cause the policy to be flushed there > would actually need to be an HTTPS server serving a "none" policy. > > > If they don't know > > MTA-STS was used before, sending email will not work from some > > domains, without a clear signal as to why this is the case. > > Yes, the new domain owner would have to know that the domain had > STS< or just publish a "none" policy in case there was a previous > policy in place. The difficulty is of course how long such a "none" > policy should be in place. For this to be a manageable duration, > there should be a maximum "max_age" that sending systems accept, > with any higher values truncated to that maximum. > > > Another option is to limit max_age to one year, similar to how HTTP > > used to limit caching to one year [1][2]. Also see [3]. This is not a > > perfect solution, but it will reduce the size of the problem. > > Yes, with the limit imposed by each sender and a "SHOULD NOT" on publishing > max_age beyond that limit for receiving domains. > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Expired/sold domains with a long max_age po… Ayke van Laethem
- Re: [Uta] Expired/sold domains with a long max_ag… Viktor Dukhovni
- Re: [Uta] Expired/sold domains with a long max_ag… Daniel Margolis