[Uta] MTA-STS & max-age
"A. Schulze" <sca@andreasschulze.de> Thu, 15 August 2019 21:03 UTC
Return-Path: <sca@andreasschulze.de>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48163120114 for <uta@ietfa.amsl.com>; Thu, 15 Aug 2019 14:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=andreasschulze.de header.b=QuwfcSpR; dkim=pass (2048-bit key) header.d=andreasschulze.de header.b=JpJSG+v0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6gf9wnceoaJ for <uta@ietfa.amsl.com>; Thu, 15 Aug 2019 14:03:48 -0700 (PDT)
Received: from mta.somaf.de (mta.somaf.de [IPv6:2001:470:77b3:103::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83B6A1200CC for <uta@ietf.org>; Thu, 15 Aug 2019 14:03:48 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=andreasschulze.de; i=@andreasschulze.de; q=dns/txt; s=ed25519; t=1565903024; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding : from; bh=5pjHHECHTwRUVV+qFneFs+JSp6Z+aKPh9c79aVmGy0s=; b=QuwfcSpRc1f29PAzvh0Fkv1Aciezs6oOb4Y2HvQ7CKZK3U+nE78mDzLj CepDAh5ieMuq8iTYteWRymn4LKO2Cg==
To: uta@ietf.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=201907-1E08403C; t=1565903024; x=1570903024; bh=5pjHHECHTwRUVV+qFneFs+JSp6Z+aKPh9c79aVmGy0s=; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding:autocrypt:cc:content-transfer-encoding: content-type:date:from:in-reply-to:message-id:mime-version:openpgp: references:subject:to; b=JpJSG+v0W8JWH+bLvzTaHf9dIZcddVkLYTd03OSfcpei+XeLyIvi8dyBlu3xGwFPt w6YEqQhb2YjsshUPcG+AMPiaoD44pTKFrPDbObc4mWoZnR/aC1zH2SYojYeut8sly1 jPQCjrQaQ955ycFsDqVgy0ZpRQ5VI/mkhX49xj2ODz4KP1Kt3wbOuJw0B6Rv3kNikH zq0+aETpm99Rk/gS9139uvT+SsuQAl+It+p4elu97k6o8ciLCLmDrZvfmtnN2DVZni WL4G2/BLD+s1343T29czjF5ZEYvBX/iWU1BB0V3/MiwOKztf+hXr5VjDyH8zAUByHR 22BM9n7nh5Sfg==
From: "A. Schulze" <sca@andreasschulze.de>
Message-ID: <ee1ab2dc-b938-3298-e013-3525b5628f3c@andreasschulze.de>
Date: Thu, 15 Aug 2019 23:03:19 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/bnUjy9jxM_Va-lDXVtbB32zIkYI>
Subject: [Uta] MTA-STS & max-age
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 21:03:55 -0000
Hello, reading RFC 8461 again and again I find not answer on "is there is a minimum value?" https://tools.ietf.org/html/rfc8461#section-3.2 say "max_age": Max lifetime of the policy (plaintext non-negative integer seconds, maximum value of 31557600). Well-behaved clients SHOULD cache a policy for up to this value from the last policy fetch time. To mitigate the risks of attacks at policy refresh time, it is expected that this value typically be in the range of weeks or greater. The RFC define a maximum but only an expectation for the minimum :-/ There are not as many implementations in use. What does implementers think on this? How do you handle max_age > 31557600 and do you require any minimum value for max_age? postfix-mta-sts-resolver for example require only a value >= 0 . https://github.com/Snawoot/postfix-mta-sts-resolver/blob/c7b3d179fb10277f9bcdc77e7cd91627c879a48b/postfix_mta_sts_resolver/resolver.py#L144 Andreas
- [Uta] MTA-STS & max-age A. Schulze
- Re: [Uta] MTA-STS & max-age Daniel Margolis
- Re: [Uta] MTA-STS & max-age Viktor Dukhovni