IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Mon, 04 December 2017 19:01 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16BBB12878D; Mon, 4 Dec 2017 11:01:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, SPOOF_COM2OTH=2.723] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=kqY3fbtO; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nBQpMcH/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jI0pL62aSz1; Mon, 4 Dec 2017 11:01:37 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93117127010; Mon, 4 Dec 2017 11:01:37 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id CD65C20DAF; Mon, 4 Dec 2017 14:01:36 -0500 (EST)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Mon, 04 Dec 2017 14:01:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=LAXRSSCkasds03cS36PLVfjxRGlER yLTsQOCRSj/7+s=; b=kqY3fbtOCrIufmwjIuV9dUOarwJOHLvbitHU0CETcaEQy 2pdIuliYh9DvSLxZDWdVUouLfVk2D8supRNeYeLx92yztSkREcF5Mi7vJBlb74/9 c5+XREPQdt2rGwNpMNi/Ag2FlSBViaGhswdzKx+JesBK1rRLhDH1vo4PK65PAWTz qlQ3ujkWFRENUQ0lsILhuGNhnYzxl+5e174sBD/vvcBwUmYuV6b8OVXZI3avvvCn 5sXW6TIL0KmslJW/IgMKsZYIQInO2vClIOAQ2UBCctFxv48d9/FR3hIsi5RZxrIu Qcz5Cx5MXpo8qKbJKHsVNS18X0TUaVj6MpUJ0xisA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=LAXRSS Ckasds03cS36PLVfjxRGlERyLTsQOCRSj/7+s=; b=nBQpMcH/bKOckvwzmdgkaE woKpa58nLLABG3hqpfM0z7iqYyf/SFerYTdDACXlgB0Mx7B7RaZVMb2ETIqtp0ux 7Vy8NchD19o2BS7kyv5vtizKcokZ0WpMAj7mygvGescInh7CstS6/jtm3FubtFX5 wXmjIUNFJNOtBau7OF8QkKw++WYzmToQUk5bzVp0Nk2e8fZOB+qsMbnwrO0pGrLZ oF9phOIALHLiLkucfGPKfVPfAObMLAaJTturNrkegThNOLnjBWpA2XvwCxcqBoyb LI30ZZxM1tS10sVk4NpLm7e7qEG0/EgaqsPiAALRVbtEITKO7FuWEX0iEZhqs4hA ==
X-ME-Sender: <xms:kJslWnLzu4BLrsROQPKCvJEAJkJmgWpNcCSwe8oe7ei6IAJCX3hfLg>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 9F43D9E0C7; Mon, 4 Dec 2017 14:01:36 -0500 (EST)
Message-Id: <1512414096.2279769.1193703080.61B9F662@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Chris Newman <chris.newman@oracle.com>, Keith Moore <moore@network-heretics.com>
Cc: Eric Rescorla <ekr@rtfm.com>, uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-email-deep@ietf.org, The IESG <iesg@ietf.org>, Leif Johansson <leifj@sunet.se>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-1b87d328
References: <150852235551.15416.1247335476327491501.idtracker@ietfa.amsl.com> <98fddd93-a0a8-efa3-ce2e-530449ae536c@network-heretics.com> <8B20BC5A-A60A-4A31-9345-E970B31BC2C3@oracle.com> <a67ef1d0-1637-fe48-9fb1-664ad8b3172d@network-heretics.com> <D5ED7737-D201-41A2-B24D-661D10D19EE0@oracle.com> <CABcZeBPx2zS8Wr5179wkcmv-_=KeQSfCi91tb0OpSax7QbETPg@mail.gmail.com> <412F718C-F4C9-427C-8D07-3561F374C804@oracle.com> <29ec2879-c811-ef64-46e9-b19adb7fef8e@network-heretics.com> <8b2d406e-0d08-40e0-ee32-28c97367ac74@network-heretics.com> <479574C0-431C-4CEE-8B57-5ED9EC5D5D54@oracle.com>
Date: Mon, 04 Dec 2017 19:01:36 +0000
In-Reply-To: <479574C0-431C-4CEE-8B57-5ED9EC5D5D54@oracle.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/_Gy6CrSoXwX14KBUI2Aw_bC32uQ>
Subject: Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Dec 2017 19:01:39 -0000

On Tue, Oct 31, 2017, at 06:29 PM, Chris Newman wrote:
> On 30 Oct 2017, at 19:30, Keith Moore wrote:
> > After a bit more thought on this, I've concluded that using the mail 
> > server's server certificates to verify authenticity of SRV records 
> > probably isn't a good idea - or at least there are more considerations 
> > and pitfalls than can reasonably be thought through in the context of 
> > this document.
> 
> I think what RFC 7817 says about certificate validation is fine, so I 
> don't want to repeat or contradict what it says.
> 
> > One consideration is that TLS "reverse proxies" can (and likely 
> > do/will) use SNI to dispatch to different hosts on the back end, as 
> > one way to implement "virtual hosting" of mail services.
> 
> I don't know if this is done for mail, but SNI routing appears to be in 
> use:
>     http://proxy.dockerflow.com/sni-routing/
> 
> Luckily domain names are cheap, so example.com SRV can point to an 
> example.com.mailhosting.example.net domain name or something like that 
> so there's no ambiguity and RFC 7817 cert validation will work fine on 
> that domain name.
> 
> > Also, of course, being able to authenticate to two different servers 
> > (even if both present valid certificates for their respective domain 
> > names) is not the same thing as those two servers being the same.
> 
> It's becoming less likely over time that two connections to a particular 
> domain name will be handled by the same physical hardware. Luckily 
> certificates don't restrict this.
> 
> > So now I'm inclined to add a simple sentence or two along the lines of 
> > Chris's suggestion.   I think that's the best we can do in a short 
> > time without additional review cycles.
> 
> Agreed.

I agree as well.

v2.23.0 | Report a Bug | By Email