IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 14 March 2019 15:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25B63130EC3 for <uta@ietfa.amsl.com>; Thu, 14 Mar 2019 08:54:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKCb7OTvJ6Yy for <uta@ietfa.amsl.com>; Thu, 14 Mar 2019 08:54:13 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FFBA130EC8 for <uta@ietf.org>; Thu, 14 Mar 2019 08:54:11 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id 10so4610426lfr.8 for <uta@ietf.org>; Thu, 14 Mar 2019 08:54:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Cwuoh2pBRGThLzC0GugWH90s59aNWDfBGAuD/8iSe6M=; b=KTCxTexElgFYaTi1IaaFNsEZ6Mru3Iad1GCMM2rjpEHWng7BKBKZfvg/P+aCx3QznQ TSziYpmZKeLjMp1JipTz8rYscTxXlDPGwfxYPd6Z/CoZ/Lq3mvrrF32ehw7YDr0cWCTc aSyZ3GiGb2ldl4ocWLqQtnB84L27879MkaJiGl1zC9q4H1BsC+H3CFWHWl42+G9AE88p mxSyFfgPI6ek/4YZy3i47hZUyDQ7CDad5VOYkYjWfUW++8NCGH9/quxQ9BOOPHTu+Wsa kd0aBclcLf8ADT1t3Jd2X+27T1w1NeOz4wCforncb/AoDhs1E+Pi/Pqovi/lkSntSi9i cwhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Cwuoh2pBRGThLzC0GugWH90s59aNWDfBGAuD/8iSe6M=; b=EXBezLDBXsNFBXvC+H2NbmHl0Lm8vDfifccot89n3KPt1NLAx1EnedPuNwEXvodSXA FA7wnuZ7Eb4C6hMGIiXxnWUOh81gteFGtr3MGZvBdZLw0nIQ3sAbfIPoMcNxF9cjdr6j CdSMngYVAX6W7UpnHhDbszc8+p0d19QC5Hp9KD+pLe77/6l80sFCkteA+keO8MbZb3My 1b+/9WtyduFr7BZtuvWvaJjSn3YvLkv7inOZNx/AvjWyOEvofxzjF/CnsQqu+q0ariim fq2FuW4jIH4NAvrNSngqvZrR8j2zu8MIm60dLoMpC+5aVuhSv14Rz+MUZXFWi7ZrkolO mO5w==
X-Gm-Message-State: APjAAAURrt5BViH/7lZnBTgF98g8wuJuI1O3jZR4CHMmuF3gRK1HLXJy D8H2LLJVxug/1nM9/J8R8FScM5Sl4ZpcINQkywSS4jGHnL8=
X-Google-Smtp-Source: APXvYqzWKyfmyV7se14Zv51OlhAvzQqmtjbyPRJ45N0M2uAZZnRRyeI8BmdD25pFoLibYr8kzxJ+XD4yc0bNafqYHls=
X-Received: by 2002:ac2:592f:: with SMTP id v15mr3458589lfi.133.1552578845871; Thu, 14 Mar 2019 08:54:05 -0700 (PDT)
MIME-Version: 1.0
References: <155076162945.8595.2671476533659571699.idtracker@ietfa.amsl.com> <b60988cd-ef8a-46db-8d70-795954109bd3@www.fastmail.com> <CABcZeBP-qzG4c2SX5P3HeDC2P5ChVTDA43MSvQXk1=bxBEr=2A@mail.gmail.com> <E2B60AD7-2CED-4480-AAAA-38714E95EBD0@dukhovni.org> <CABcZeBOWw=XEbyxu94_v-kkYxyuuPDTnJeJ+_-44VoCOFTyOBw@mail.gmail.com>
In-Reply-To: <CABcZeBOWw=XEbyxu94_v-kkYxyuuPDTnJeJ+_-44VoCOFTyOBw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 14 Mar 2019 08:53:29 -0700
Message-ID: <CABcZeBO30t6vYXO1TdjSriwoB=NYoEGUDB3P2r2mietFAeJy4Q@mail.gmail.com>
To: uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-smtp-require-tls@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000098297605840feeb9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/bH2Yp1ViXdXacaaW6PE18YDT5ys>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 15:54:15 -0000

We had a bunch more discussion on this on the IESG call. It seems like
the primary use case for TLS-Required=no may be to exempt what's basically
the control channel from the requirement to use TLS. So, for instance,
I am getting persistent bounces from you and I want to notify you
about it, so I send that notification with the TLS-Required=no flag set
[0].

Assuming that's right, then ISTM that actually this is not the ideal
design, both because it's not clear how the flag gets set and because
the recipient has had no chance to weigh in. What I would suggest would
instead be to extend MTA-STS and DANE to exempt specific "control"
addresses (e.g., Postmaster) from mandatory TLS. This seems like it
would solve the main problem while avoiding opening the can of
users just marking routine messages as non-sensitive.

-Ekr


[0] In some unspecified way? Perhaps a button in the MUA UI?


On Wed, Mar 13, 2019 at 2:55 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, Mar 13, 2019 at 2:49 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
>
>> > On Mar 13, 2019, at 5:13 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>> >
>> > Well, I think this field should only override the outgoing and not
>> incoming policies (or be removed).
>>
>> To be clear, let's imagine a company (say a bank) with the following TLS
>> policies (written roughly Postfix-style, but should be clear even to the
>> uninitiated):
>>
>>         # Mandatory PKIX authenticated TLS with back office settlement
>> business partner,
>>         # And mutually agreed set of CAs.
>>         #
>>         partner.example         secure tafile=partner-cas.pem
>> match=mx.partner.example
>>
>>         # Mandatory DANE-TLS with another business partner known to
>> support DANE
>>         #
>>         partner2.example        dane-only
>>
>>         # Opportunistic DANE TLS when available with general-purpose email
>>         # (In real life the global default would be specified elsewhere)
>>         *                       dane
>>
>> I think you're saying that the company could allow its users to bypass
>> the locally-policy business partner domain rules, but must refuse to
>> allow users to exempt casual correspondence from DANE (or MTA-STS)
>> policy when published by the destination domain.
>>
>> Is that right?
>>
>
> Yes.
>
> -Ekr
>
>
>> --
>> --
>>         Viktor.
>>
>>

v2.23.0 | Report a Bug | By Email