Re: [Uta] Updated MTA-STS & TLSRPT Drafts
Daniel Margolis <dmargolis@google.com> Wed, 23 May 2018 14:22 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A8412E870 for <uta@ietfa.amsl.com>; Wed, 23 May 2018 07:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.21
X-Spam-Level:
X-Spam-Status: No, score=-18.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpZU3dXvngPi for <uta@ietfa.amsl.com>; Wed, 23 May 2018 07:22:46 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3E8D12E8CF for <uta@ietf.org>; Wed, 23 May 2018 07:22:44 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id c5-v6so14506279itj.1 for <uta@ietf.org>; Wed, 23 May 2018 07:22:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=KBKWBBAwP01vpmfcq6JZFDH+GSYYeX7nzvkwl9uh/Ss=; b=TvKceFPcoG2fUeYfKIPjZkfb2qhnXatJ4dDEOEawLmuqb1v2iC28WFnmoDt1gHwazk Oh5027wSbLXw2oY0PFvNE2bNpm3jp90yQ3YiUwUwsTn5CKRrneBnUgTOlMiQg6hzH5Wx gBEJxacZqN/ZAjSxhV2c14faralsvnpRVS80MNkBEZhfK8LdeYyv2yNCw1rJUvFkGO4W 2t9HW8ePJfayIHAT1ZuZs23yDkgGrk2F2KGZEGSoHPpQ5Z0QGHwsPlkXN96x+mXe/S/v g4WzEG54JTl7e6GoQ8rowcO0G4oQPPefDE7OXuSyo7N7f/ARkcaG823OxwLlRM9ctX9B Rbzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=KBKWBBAwP01vpmfcq6JZFDH+GSYYeX7nzvkwl9uh/Ss=; b=VXurxOs5YjVVy2Z+dy/DWi1EHwgEfLvwIjdO0Ds0k3acerTTwTiHycOLNR42NGoy+S N3iPzzgbsiFA0CLbXFpkUy5tjKAKhLB1s1+cfy1kZbHlP3IWrB6MM8/pzyQ1xFD7NcVe crWrYVzbSjxS2QzJvaCwLHI9YILZzuEmOM8koGnxAokZQGF2YN/exm+ZsVPubqxcMLfq fgWMibI/eloA7G7nh2JHv2izzb/cQEhWiysoLkPesfwWMftMo5zBqssV2E5t5Ixfh61M 7v2V1v8S1qLo4GD9sBCuMq03PmjEkwPx0FGLH1iu9QaSCRiDYTacV2V1oF3ayv6lP5Q4 jZWQ==
X-Gm-Message-State: ALKqPwcZBFcEZXkSfo65k8q6Sfkn1dYhgcWG9J2gCBuQ0u34euctdD6S oEl4NGfsjNc+4rJQz6BgWoOaZ8/0PePQRNFOnyqS5Zzshvg=
X-Google-Smtp-Source: AB8JxZrpNr9u/g3KdoJLV7hlymYHSJlqL8BudkvNIsQer2YxNVmgibarGZbmMqipAjazFsQ29D//33niSNeJSlGE/r4=
X-Received: by 2002:a24:2706:: with SMTP id g6-v6mr5658938ita.5.1527085363594; Wed, 23 May 2018 07:22:43 -0700 (PDT)
MIME-Version: 1.0
References: <72d533f892c24bd391a82ec4ae91d639@COPDCEX19.cable.comcast.com> <m3o9h8r34m.fsf@carbon.jhcloos.org> <3AA8513D-C6C4-4EAE-BF5A-0DF41E1CD8B2@dukhovni.org>
In-Reply-To: <3AA8513D-C6C4-4EAE-BF5A-0DF41E1CD8B2@dukhovni.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Wed, 23 May 2018 10:22:29 -0400
Message-ID: <CANtKdUc6wJDGVegEdqaZFZxxh47-QFvWy71gg6s+XLDbWPSu1g@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ada781056ce04487"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/bCBSJrkikPj9jwtepLfGyD2VJxg>
Subject: Re: [Uta] Updated MTA-STS & TLSRPT Drafts
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 14:22:57 -0000
Thanks. Easy fixes. Done in -19: https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/. On Wed, May 23, 2018 at 10:15 AM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > [ Accidentally sent to just uta-chairs the other day, fixed, sorry ] > > > On May 21, 2018, at 7:38 PM, James Cloos <cloos@jhcloos.com> wrote: > > > > id> Note that in all such cases, the policy endpoint ("https://mta- > > id> sts.user.example/.well-known/mta-sts.txt" in this example) must still > > id> present a certificate valid for the Policy Domain ("user.example"), > > id> and not for that of the provider ("provider.example"). > > > > Should that be "mta-sts.user.example" vs "mta-sts.provider.example"? > > > > As is, it gives the impression that the policy host ought to provide a > > cert for the policy domain rather than for itself. > > Agreed. A fix might be: s/Policy Domain/Policy Host/ > > I should have noticed a few other editorial issues earlier: > > 1. OLD: > > If the number of resulting records is not > one, senders MUST assume the recipient domain does not have an > available MTA-STS policy and skip the remaining steps of policy > discovery. (Note that lack of an available policy does not signal > opting out of MTA-STS altogether if the sender has a previously > cached policy for the recipient domain, as discussed in Section 5.1, > "Policy Application Control Flow".) > > NEW: > > > If the number of resulting records is not > one, senders MUST assume the recipient domain does not have an > available MTA-STS policy and skip the remaining steps of policy > discovery. (Note that absence of a usable TXT record is not > by itself sufficient to remove the sender's previously > cached policy for the recipient domain, as discussed in Section 5.1, > "Policy Application Control Flow".) > > 2. OLD: > > Thus for a Policy Domain of "example.com" the path is > "https://mta-sts.example.com/.well-known/mta-sts.txt". > > NEW: s/path/full URL/ > > 3. OLD (possible confusion as to which should not be expired): > > The certificate presented by the receiving MTA MUST chain to a root > CA that is trusted by the sending MTA and be non-expired. > > NEW: > > The certificate presented by the receiving MTA MUST not be expired, > and must chain to a root CA that is trusted by the sending MTA. > > -- > Viktor. > > > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Updated MTA-STS & TLSRPT Drafts Brotman, Alexander
- Re: [Uta] Updated MTA-STS & TLSRPT Drafts James Cloos
- Re: [Uta] Updated MTA-STS & TLSRPT Drafts Daniel Margolis
- Re: [Uta] Updated MTA-STS & TLSRPT Drafts Viktor Dukhovni
- Re: [Uta] Updated MTA-STS & TLSRPT Drafts Daniel Margolis