Re: [Uta] AD review of draft-ietf-uta-smtp-require-tls-06
Jim Fenton <fenton@bluepopcorn.net> Thu, 10 January 2019 19:48 UTC
Return-Path: <fenton@bluepopcorn.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F5BE131223 for <uta@ietfa.amsl.com>; Thu, 10 Jan 2019 11:48:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ifg1THTfvMPa for <uta@ietfa.amsl.com>; Thu, 10 Jan 2019 11:48:51 -0800 (PST)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E580130F88 for <uta@ietf.org>; Thu, 10 Jan 2019 11:48:51 -0800 (PST)
Received: from steel.local ([IPv6:2601:647:4300:2290:a942:4757:4188:8857]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id x0AJmnc0019897 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <uta@ietf.org>; Thu, 10 Jan 2019 11:48:50 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1547149730; bh=shA3T/xxXHghcp0GNURpbZBNsPUFMougxt3XY4GsA84=; h=Subject:To:References:From:Date:In-Reply-To; b=WZ9BuY+h8OZZkFD2Xd7Cy+Pbi0JP5adwhCS6sbKtz+IUOyYYihJzyQE1a+CHN3sP4 cPpLynzVDRmtpOsX5raOahR71KFDJLALgECC4qpbrM5VlbM5Ai2O62Ij2eqQ47mlJ4 h3krS2FwwZ4OQSOL2Rq7ec8Qa3jDz+tqD28wC5E4=
To: uta@ietf.org
References: <fdd17939-cfab-c078-420a-60aaca47c696@isode.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Openpgp: preference=signencrypt
Autocrypt: addr=fenton@bluepopcorn.net; prefer-encrypt=mutual; keydata= mQINBFJNz0MBEADME6UoNSsTvSDJOdzL4yWfH4HTTOOZZPUcM/at38j4joeBb2PdatlwCBtk 9ZjupxFK+Qh5NZC19Oa6CHo0vlqw7V1hx1MUhmSPbzKRcNFhJu0KcQdniI8qmsqoG50IELXN BPI5OEZ3chYHpoXXi2+VCkjXJyeoqRNwNdv6QPGg6O1FMbB+AcIZj3x5U18LnJnXv1i+1vBq CxbMP43VmryPf8BLufcEciXpMEHydHbrEBZb/r7SBkUhdQXjxRNcWOLeYvOVUOOrr1c+jvqm DEbTWUJVRnUro/WpZQBffFnymR0jjkdAa8eOVl/nF2oMLbaBsOMvxCRSSEcGhuqwbEappNVT 1nuBTbkJT/GGcXxc+lEx9uNj86oYC4384VZJMTd1BRI4qPXImNZCIdmpKegK743B6xxN6Qh1 Tg167pn9429JENQE/AFIVX5B/gpsg7Aq+3rmz9H6GbfovPvFV3TBTgsHCHAMC8XU+S4fhcqN PN0lbUeyb7g6wxaE+dYqC7TExx7G3prw4v66y0qS7ow/Cfw8XXOEkaFQ4XwP7nvfILT+9CcU yS8I40vlDFU9Wnt56CbGz0ZVQgHnwyPXL+S9kCcIwRLFx1M79s6T6qwX1TXadfpbi1uIw7XG TiPDT8Pk6i2y22oSSROyYD4D+wOhVkkvO0S8iZ3+LhAYUx86nwARAQABtCNKaW0gRmVudG9u IDxmZW50b25AYmx1ZXBvcGNvcm4ubmV0PokCVQQTAQIAPwIbAwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQS1nUkJe2fEXbvBaacbJaiwFdCfvgUCW4RXswUJCxkNcAAKCRAbJaiwFdCf vjdyD/wNUBktyTqGVI5JGE8TJX6+6bmq5HHJ/I+CgGNtyvjriNZdxZJ86L5Z7MIidBeUOXvl /DZK+1zvS/hq8oMe7rPMbSepHHdhMyVTBuWnUG3n48dYOMqQjttBxisauC9GXrejhDJeGP+y WDLRdkMs1h5M48MKpEHf69pvkb+CCewbJeJH3kpPc5Iv9lJEOM/SrGlR72RUsMHeBcc3ykPR CeW0MpXGKAo5QCRw51uvuy7jZdlxOrLMMvMSyqCVanaW2Iz8mXQKufahkDfjff/eBUgXSfxS L1H2ZUN8XeyLttn6iei0Jqs1aSTmU1y0XxMM5k0rgA+3PoZrkgYTSvVBQMhE+sIyeoiB9oat 5h7M7nZBXc4LQTEwMFCamE4GIaSkpLFwBBwZwPa487XKnPbGV6zr7sYEzDaCvkQGJdfw6NqA 5IxLgmAoCAWnp3h26OtUJ0lmgpRy/Vy4yinbVAvkBq1CB1gRlNDYn0Ton06Bz0ltSpBTWTzj m6zvnA2JLzyFrTc30PR22WD/m18/qgua7YCiP1xu88AsnY5HPgxDj88PDiiyuFftYHhSY0Dy nV+iz+NEPal/LaklqVmA1+l8qj/SPAdycbD/s2X6MHjPBamdBmzytuEZnv+LImPTkdswExLD AORVDaH2SYuznhFs7xZ/t1rB5Yo1l5eDGdTQ6KLsDLkCDQRSTc9DARAAwZaXYs3OzGlpqvSH 3HR9GjSzIeP0EmsBCjpfIdZbQBwQ3ZREiMGInNxV+xkdjLDg0ctrWzUCUe3plWe5NJkpjqm+ KMc7GKhyeWJ5MZRtVrh0VpFTqi8UwYPWumAYqE1y/U1me/zHpfG9EDwdSYqMkPF76Fy5W+vh ZP2ILKaY8qWSLyH8TPl5mFGBypfT8Q6UuzlRs2aTbsTtBX/qwH7gztMRJSjQtYo20AqCgBBH IA/0xV5qDH7CVYyKyPQ4tJLQ8/xyTysUS5fewrj8lZo/G9SaNtC3CEvrJYwyA0nvYB6+hJPM qMP/tyRXM/9XY3qO4Vxuc+m5fYbTZa5GYAZNNuB5dvqI1U0sFTWBEbpAeabqCQ40ZnFSj+t1 tBuwfj4ey/oJ78WRyg5+VTvPKRRubOmZcnzj5yfTS3VGxAZb4Nsj1S2f3KLP0Z+Cv4dt893I 2JWTChw7jA1omF0QTQaBq140n084PFndBHudrZ3cz+APC89iie2HQ4jGQldXZXnGySHnHlA+ WUyZ9wgOplW9F4Q/Lps1bnuh5VttPVpNfjX8hiV48al+b+ut4nfzXAripIRWF3TL72/6JqgE KNhRKyRn0S6BidieSyHWzqJR3Roi/YNTvyXyLh6i6jtByb3FbnhYf/9olobDpj0E+kTemLrw owre85gwupSphqlzVSUAEQEAAYkCPAQYAQIAJgIbDBYhBLWdSQl7Z8Rdu8FppxslqLAV0J++ BQJbhFZUBQkLF7qRAAoJEBslqLAV0J++wvgP/jPjfjH3zEGYhdv89B0vFsRIBDDZzJuMxZZL EW/FyqKqswTHt6HD2ScuiGNEsNWebKEZbj2+Y673KqWnBGMFuJovAzlLeNNxQToJq03pzm/9 4A0ePYk9xzrMgtW+DEUemWElvMbSwZYid8Zj4lAx+U/X6Dh7HPSTx8DO4BKRA4cLrASOaUuS /w8/2eTXNEJssqc8Shwq6bNO5cPXrjb/qJgbb/MOLp0Nn1vNIPjoi/88910pyOV9chYJJFRX zOofGwaRjvcO55X57lveBrNEgH453EHa7QAHL4wD2dbCd445YOPkn0mBNJe3Un5JTsi6IQaK NHUMfwTWrVWN8RapFaPv6YXVBEvpA13G88TFkR5UHlz6YEUMATmgJQpmTFRkPYT0DTEbL4/O ywFgqMzmY1ojKV/Z6iWCAHqVnyFr6NtTFmT/qkOtb933YWJZW6Pg/Us2rZHro7uvQ/bf7Uxb vkn4lX+VneDBjsk3RPnHO/6k8lY2xQ343O7QOedSkM6rJpB9IbgXvHJNJfAWV+L89ElZeKJr VNaQqAw/1uXM7s8MVc+qwoT+DN0jsdqkBcuBxnbYeyM/8X6wcZHopV74r7SAbH4TrtjcBft5 nyM0UroVaEXvJxLzL3kQTsHIiDtGVuYwDTHzVl9591fuyEe0cYZVP2WckXcuM7EUn4CPBUYJ
Message-ID: <add880da-ecf4-822c-f284-01004654dfbd@bluepopcorn.net>
Date: Thu, 10 Jan 2019 11:48:43 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <fdd17939-cfab-c078-420a-60aaca47c696@isode.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/_ptqTVAvCWs-a-MJKkl0mm6TAMc>
Subject: Re: [Uta] AD review of draft-ietf-uta-smtp-require-tls-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 19:48:53 -0000
Thanks for your review, Alexey. Responses and a few clarifying questions below. On 1/9/19 8:34 AM, Alexey Melnikov wrote: > Hi, > > Sorry for the delay in reviewing this. I reviewed it in 2018, but > needed to work on expanding/decoding my notes so that they become > useful for other readers. > > > The document needs to specify line length increase and whether the > extension is allowed for SMTP Submission and LMTP (I think the answer > is Yes to both). Specify line length increase: I'm not sure what you mean here; presumably something having to do with the additional length from the presence of the REQUIRETLS MAIL FROM parameter? Submission: will add. LMTP: I have never run into it, and it is informational. Does anyone actually use it? > > > In Section 4.2.1: > > RFC 6125 use needs more details, in particular on whether CN-IDs are > allowed, use of wildcards in certificates. I will followup on this > separately. Will wait to hear from you on this then. > > > > 6. The SMTP client SHOULD also require that meaningfully secure > > cipher algorithms and key lengths be negotiated with the server. > > The choices of key lengths and algorithms change over time, so a > > specific requirement is not presented here. > > This SHOULD is not implementable as written. The document needs to > provide more details on where this information can be found. (Imagine > that I implement a new MTA that supports this.) As may be clear from the specification, I struggled with this a bit. I didn't want to put in a specific requirement because I don't like the idea of lots of specifications calling out specifics and then having to be revised as things change. I'd rather point to a BCP, if there is an appropriate one, that specifies this and changes from time to time. Is there such a BCP? Or I could perhaps just leave this out, because it's somewhat obvious and clients shouldn't be accepting insecure lengths and algorithms anyway. > > > 5.7.x error code needs to be marked for IANA to assign. Please add an > IANA Consideration for it. Will add. > > In Section 4.2.2: > > This section is not clear about when to insert RequireTLS: NO header > field in the message! That more properly belongs in Section 3, "The RequireTLS Header Field", since 4.2.2 deals with the mechanics of what to do when it is there. The answer is that the header field is inserted by the originator when sending a message for which they want delivery to have clear precedence over security by ignoring MTA-STS and DANE if necessary. Should this be more explicit there? > > At this point in the document it is not even very clear that the > REQUIRETLS MAIL FROM parameter can have multiple values! In fact, the > document has no examples and no ABNF, so I don't even know what the > syntax is! Per WG consensus, the options for the REQUIRETLS MAIL FROM parameter no longer exist. If I missed something and there is still some text referring to them, please let me know. Examples/ABNF, I had thought this was simple enough that these weren't needed, but fair point, will add. > > In Section 5: > > > The SMTP client for a REQUIRETLS > > bounce message MUST use an empty MAIL FROM return-path as required by > > [RFC5321]. > > Don't use RFC 2119 language, as this is already required by RFC 5321. > I suggest you just use non normative language here. Will do. > > > When the MAIL FROM return-path is empty, the REQUIRETLS > > parameter SHOULD NOT cause a bounce message to be discarded even if > > the next-hop relay does not advertise REQUIRETLS. > > Shouldn't this be mentioned in one of 4.X sections? Yes, it should. > > In Section 8: > > > The purpose of REQUIRETLS is to improve communications security for > > email by giving the originator of a message an expectation that it > > will be transmitted in an encrypted form "over the wire". When used, > > REQUIRETLS changes the traditional behavior of email transmission, > > which favors delivery over the ability to send email messages using > > transport-layer security, to one in which requested security takes > > precedence over delivery and domain-level policy. > > Is this still true when "RequireTLS: NO" is used? No, this needs to be updated. > > > It looks like RFC 7672 reference should be Normative. Yes. Look for a revision in a week or so. -Jim
- [Uta] AD review of draft-ietf-uta-smtp-require-tl… Alexey Melnikov
- Re: [Uta] AD review of draft-ietf-uta-smtp-requir… Jim Fenton
- Re: [Uta] AD review of draft-ietf-uta-smtp-requir… Alexey Melnikov
- Re: [Uta] AD review of draft-ietf-uta-smtp-requir… Alexey Melnikov