IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)

Daniel Margolis <dan@af0.net> Mon, 07 May 2018 08:16 UTC

Return-Path: <dan@af0.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72AB212D889 for <uta@ietfa.amsl.com>; Mon, 7 May 2018 01:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=af0.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyLwbX84QxJU for <uta@ietfa.amsl.com>; Mon, 7 May 2018 01:15:57 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F1FD126D0C for <uta@ietf.org>; Mon, 7 May 2018 01:15:57 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id a137-v6so14097786wme.1 for <uta@ietf.org>; Mon, 07 May 2018 01:15:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=af0.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NU4IJlpq77r3LMlUU2YoBy/Jtq9pXTkF9ECGWu2DFrQ=; b=nKlwQYM3xGame0RZUeaVwwjBbv66mhOOqyW3dIGxUxu9VIIgJsVCEulEooKHX8hBoI AN23GCGcL/bfPEoFz2JKWGGxyytVfhiM7vvf2fB8gHO3jz+eJWKX6cL3Z3GpdJCzaSp6 wxf8kM53XUTemtrqeYx1R03mAnUBMTwtnuFSQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NU4IJlpq77r3LMlUU2YoBy/Jtq9pXTkF9ECGWu2DFrQ=; b=fI16ZHb3gm0xfybyN7XccQg9hTXVkqCpyYNXhX7vVh8O5WM2HbNlB9nhKMMco+xWEH 2OVyuWJxfSNKRVZiDLnsuuddgv49+S1na/+kcqyOAWyK5n2iee8jcEb0GbFOYucYyl5w Rkvw6kSGwWqosBGn3Qty1NUZ79lSbKSHj52gPdQB/eI5rgBvHanj+80aJDHF7DPlQOWK te89XfyQanIHe1Eybr31Hy/gyQtA4NCmO4Db9Hg4vR59Bq2k6kTDuLWhT2c3XRvUU1bc t26+SmJv6B1ow5H3joFj9ZUXT/xaqk9gD4tIfhcotIxzNDgEV44uIys/CU41hN4b3fSr 2EOQ==
X-Gm-Message-State: ALQs6tAqXWHapc2boTrHzD3Kkaw35aT40RCHpF77yw/kxiZiNRcjjwie i3iEwr/yCL3He3HZRDgomsMeZKgiQN5/rJrro1kmvQ==
X-Google-Smtp-Source: AB8JxZrn/FeGu3RpNjMy5ODXJnUJHqnW9//yXi8cYHZJUhqpJcl/g7jOEm8NtxPBs+QMs04oZPzctGHKFG6ztpA9Cbc=
X-Received: by 2002:a50:a306:: with SMTP id 6-v6mr48995604edn.292.1525680955440; Mon, 07 May 2018 01:15:55 -0700 (PDT)
MIME-Version: 1.0
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <CANtKdUeK_HpOYsP-CfhF7m7-DYiSX39xTMLxqZw-1UQsn29xyQ@mail.gmail.com> <78C81C6B-1C5F-4361-A3B7-40D9012E406A@dukhovni.org> <CA+S86mWSNwzG0_y_d=yg8Nqf9gxFud+8TAYWHY3Uw6aqn_JKog@mail.gmail.com> <C5B103C6-4A18-4013-95DB-70C2C180871C@dukhovni.org> <969F2F35-BA59-403B-81EE-44AF57FA6BB0@dukhovni.org>
In-Reply-To: <969F2F35-BA59-403B-81EE-44AF57FA6BB0@dukhovni.org>
From: Daniel Margolis <dan@af0.net>
Date: Mon, 07 May 2018 08:15:45 +0000
Message-ID: <CA+S86mVYXJceY-0ZGMFPHOTgzaad81EupDxjW6iMOrScSJRidQ@mail.gmail.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>, Leif Johansson <leifj@sunet.se>
Content-Type: multipart/alternative; boundary="00000000000063c4fa056b994702"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/bvs7oEv2WukRfvXcTiTnUa1KQB8>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2018 08:16:00 -0000

Yes, that was exactly my point. That's why I was saying this is really an
implementation detail (albeit one you'd want to call out); the only
fundamental protocol question at issue is whether we should consider valid
a policy that matches only the cert but not the hostname itself.

On Mon, May 7, 2018 at 5:05 AM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
>
> > On May 6, 2018, at 5:20 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> >
> >> I don't believe that pre-filtering the MX candidate list is the only
> way to do it. You could leave the loop as-is and just refuse to connect to
> (i.e. treat as a transient connection failure) any candidate which fails
> the policy validation. So this is an implementation question; modifying
> loop pre-filtering is probably riskier than what we might call "connection
> early termination", but both are compliant with the protocol.
> >
> > It makes a difference with a "testing" policy.  Should mail be sent via
> > an MX host not listed in the policy, or should it be skipped?  With
> > "testing" the mail should probably go out, with a report of the
> authentication
> > failure (impossible success given unexpected MX name) sent per any
> "tlsrpt"
> > policy.
> >
> > So at least "testing" should probably use all the MX hosts.  Whether
> "enforce"
> > does or does not is then a question of whether doing it differently for
> the
> > two cases is a potential source of confusion/bugs, and prominent
> anti-loop
> > warnings.
> >
> > There are even some domains where connecting to the backup MX host
> *before*
> > trying a connection to the primary will cause firewall rules to be
> dynamically
> > added to block the client!
>
> And yet, of course, we could essentially in all cases go through the
> motions
> of considering *every* MX host, and even connect to each X host in turn as
> needed, but still authenticate the peer based on a match between the
> certificate and the MX hostname, with the additional constraint that the
> MX hostname match the policy "mx" list.
>
>   * In "testing" mode one would still actually connect even to MX hosts
>     whose names don't match the cached policy.
>
>   * In "enforce" mode, one could at the last moment optimize-out
> connections
>     to hosts which are sure to fail authentication, because the MX hostname
>     does not match the "mx" list.  This of course after loop eiimination,
> etc.
>
> I think that's the point that Daniel was trying to make...
>
> --
>         Viktor.
>
>

v2.23.0 | Report a Bug | By Email