Re: [Uta] Review of draft-ietf-uta-mta-sts-04
Janet Jones <Janet.Jones@microsoft.com> Tue, 25 April 2017 16:40 UTC
Return-Path: <Janet.Jones@microsoft.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE331316A6 for <uta@ietfa.amsl.com>; Tue, 25 Apr 2017 09:40:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.591
X-Spam-Level: *
X-Spam-Status: No, score=1.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fWg79zjG7Jzc for <uta@ietfa.amsl.com>; Tue, 25 Apr 2017 09:40:40 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0108.outbound.protection.outlook.com [104.47.34.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82B9C131618 for <uta@ietf.org>; Tue, 25 Apr 2017 09:40:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0BttmixP6oOGwMz5gRjZPVOzXGlDThnoGIVG/DBn5WM=; b=JJeczWFZpk+rODZnTtBnNac7kIMOxTzeTiRMihwJVrmizxUQtRkhCZMw7plXs07qRFQztKgiMOo9OOyCmCXr/kq8wCPOQJ6LjQFPLbR/wmLg1NuIh9Ydxame6zzcgZoAOfO00CO+qdNmlP9uXsGRgcKZFh/ioJhHUhbo6Ve8UEY=
Received: from SN2PR03MB2318.namprd03.prod.outlook.com (10.166.210.27) by SN2PR03MB2320.namprd03.prod.outlook.com (10.166.210.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1047.13; Tue, 25 Apr 2017 16:40:38 +0000
Received: from SN2PR03MB2318.namprd03.prod.outlook.com ([10.166.210.27]) by SN2PR03MB2318.namprd03.prod.outlook.com ([10.166.210.27]) with mapi id 15.01.1047.019; Tue, 25 Apr 2017 16:40:39 +0000
From: Janet Jones <Janet.Jones@microsoft.com>
To: Daniel Margolis <dmargolis@google.com>, Alexey Melnikov <alexey.melnikov@isode.com>
CC: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Review of draft-ietf-uta-mta-sts-04
Thread-Index: AQHSuPz575MVwH2I7EKWfa8ep5y2caHS39uAgANy8sA=
Date: Tue, 25 Apr 2017 16:40:39 +0000
Message-ID: <SN2PR03MB2318B66DDAB5684C346B77BEE61E0@SN2PR03MB2318.namprd03.prod.outlook.com>
References: <ba6b46ba-ad6b-2270-0113-3e8006ef5a8b@isode.com> <CANtKdUdS3jv2jWKVprcSy=ZwrJtBBqz4MXL7_He75PNyv_c2-w@mail.gmail.com>
In-Reply-To: <CANtKdUdS3jv2jWKVprcSy=ZwrJtBBqz4MXL7_He75PNyv_c2-w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:9::ee]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN2PR03MB2320; 7:uVBT64F3a6qqV4O0VMkE5roAPgkkgw1AYQZtYfY8dQ05muf+l1smC8eUvUrNe8qnu4hBTMxlb9Tyd42YSCtdZBWTyf5wdfya+u30mtWbiilZFhNTrNTCVJhBmiZQVtrOUFK8AibEZY6ISZzsqEfO3VySlHIWtOr6nS2al2gXsV7FShI8ALOHFzUUscIXas4fgWhk9zQ0sCSTh3RJPv4VkdAlSky2+Q3/sYZYprvnNVt67D5oXMDx1hodFyPNRXicAVUSFOINfZIG8syzcgqyAXIkhtx+sl0iHIsuD4pa1EQxXDNkMFGABhVXS/O72gVOWvqVvBxq4IiuNYyUtgHSzCB6m/JTKwUv4B4bRT05bsQ=
x-ms-office365-filtering-correlation-id: b87e91af-4952-4c6e-3d3e-08d48bf9ce63
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:SN2PR03MB2320;
x-microsoft-antispam-prvs: <SN2PR03MB23204AAF190950020142DC9DE61E0@SN2PR03MB2320.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820)(189930954265078)(219752817060721)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(6072148); SRVR:SN2PR03MB2320; BCL:0; PCL:0; RULEID:; SRVR:SN2PR03MB2320;
x-forefront-prvs: 0288CD37D9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39400400002)(39410400002)(39840400002)(39860400002)(39450400003)(24454002)(377454003)(53546009)(6246003)(76176999)(236005)(3280700002)(5660300001)(9686003)(54356999)(790700001)(86612001)(50986999)(102836003)(25786009)(6116002)(2900100001)(8936002)(74316002)(230783001)(10090500001)(86362001)(2906002)(81166006)(5005710100001)(9326002)(53936002)(3660700001)(7736002)(77096006)(8676002)(122556002)(33656002)(38730400002)(7696004)(19609705001)(606005)(7906003)(6436002)(189998001)(6506006)(54896002)(4326008)(2950100002)(55016002)(99286003)(229853002)(6306002)(10290500003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR03MB2320; H:SN2PR03MB2318.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SN2PR03MB2318B66DDAB5684C346B77BEE61E0SN2PR03MB2318namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2017 16:40:39.0589 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2320
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/dy516r-ZaJPFHKHoH8HSTZukp_c>
Subject: Re: [Uta] Review of draft-ietf-uta-mta-sts-04
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2017 16:40:42 -0000
Hi Alexey, Resending links to closed issues and current pull requests to be incorporated based on feedback. https://github.com/mrisher/smtp-sts/issues https://github.com/mrisher/smtp-sts/pulls Thanks again for your feedback! Janet From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Daniel Margolis Sent: Sunday, April 23, 2017 4:58 AM To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: uta@ietf.org Subject: Re: [Uta] Review of draft-ietf-uta-mta-sts-04 Thanks. Comments inline, mostly ticking off changes. :) I have pushed all my changes in response to this to the git repo and they should appear in our next draft. On Wed, Apr 19, 2017 at 1:05 PM, Alexey Melnikov <alexey.melnikov@isode.com<mailto:alexey.melnikov@isode.com>> wrote: Hi, Below is my early "AD review" of the document. I think it is in pretty good shape and is ready for WG Last Call (I am Ok with the question of JSON versa something else be settled during or after WGLC.) 1) In 1.1: o Policy Domain: The domain for which an MTA-STS Policy is defined. This is the next-hop domain; when sending mail to "alice@example.com<mailto:alice@example.com>" this would ordinarly be "example.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com&data=02%7C01%7CJanet.Jones%40microsoft.com%7C8f9a55de6af947ac545508d48a4014f7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636285455239419598&sdata=MVyalwAYv9yfPeWm8RpK2Cqa2zVQEYhQlVTyMRJlWvg%3D&reserved=0>", but this may be overriden by explicit routing rules (as described in "Policy Selection for Smart Hosts"). Nit: This needs an internal section reference. I think there was another place in the document when an internal section number is not mentioned. Done. Thanks. 2) In 3.1: sts-version = "v" *WSP "=" *WSP %x53 %x54 ; "STSv1" %x53 %x76 %x31 Do you intend for this to be matched case-sensitively? What you wrote above is that "v" is case-insensitive, but "STSv1" is. Good point. I actually would have intended the field names to also be case-sensitive. (At any rate, the code I have is case sensitive.) I see no reason to tolerate mixed case here given we're requiring specific strings anyway. 3) Section 3.2 says that unrecognized fields are to be ignored, so you need to update ABNF in 3.1 to make it clear. Current ABNF: sts-text-record = sts-version *WSP %x3B *WSP sts-id [%x3B] sts-version = "v" *WSP "=" *WSP %x53 %x54 ; "STSv1" %x53 %x76 %x31 sts-id = "id" *WSP "=" *WSP 1*32(ALPHA / DIGIT) I suggest something like the following (this implies that position of the first 2 fields is fixed, extensions at the end. If you prefer that any fields are in any order (other than the version), I can update the ABNF): Good point. Looking at SPF, DMARC, and DKIM, all three require the v= to be first in the record (which makes some sense, I suppose, to allow future versions to have different parsing syntaxes), so I suppose we can just keep it as you have it here. Thanks for that! sts-text-record = sts-version *WSP field-delim *WSP sts-id [field-delim [sts-extensions]] field-delim = %x3B sts-version = "v" *WSP "=" *WSP %x53 %x54 ; "STSv1" %x53 %x76 %x31 sts-id = "id" *WSP "=" *WSP 1*32(ALPHA / DIGIT) sts-extensions = sts-extension *(field-delim sts-extension) [field-delim] ; Extension fields at the end in any order sts-extension = sts-ext-name *WSP "=" *WSP sts-ext-value sts-ext-name = (ALPHA / DIGIT) *31(ALPHA / DIGIT / "_" / "-" / ".") sts-ext-value = 1*(%x21-3A / %x3C / %x3E-7E) ; like esmtp-value from RFC 5321, but doesn't allow ";". ; So basically any CHAR excluding "=", ";", SP, and control ; characters. 4) In 3.2: Should "SHOULD ignore unrecognized fields" be a MUST? I.e., why would it not be Ok to ignore unrecognized fields? It's a bug. Thanks. :) 5) In 3.3: RFC 6125 use needs more details, because you need to specify answers to every question in section 3 of RFC 6125. In particular you should say that when checking certificates, you only use DNS-ID and CN-ID (SRV-ID and URI-ID are not used) and that you allow wildcards in them. Thanks, I've clarified this. 6) Last para on page 7: this is also true in RFC 6125. Correct. 7) In 5.1, last para: I think you mean that if there are too many failures to deliver when using MTA-STS, regular SMTP rules for generating a bounce apply? I think this needs rewording to say that. Fixed, and included a reference to rfc5321's relevant section, to hopefully make clear we expect existing rules to apply. 8) If you want to allow for extensibility, you probably need an IANA registry of fields allowed, so that developers can find them easily. I can help with some text. I'd appreciate any suggestions. Is there a need for that now, though? I would not want to overengineer this, either. :) 9) On page 13: I think pseudocode should make it clear that you retrieve DNS-ID SAN. Thanks, done. Best Regards, Alexey P.S. I might have a couple of extra items, but I need to double check a few things first. _______________________________________________ Uta mailing list Uta@ietf.org<mailto:Uta@ietf.org> https://www.ietf.org/mailman/listinfo/uta<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Futa&data=02%7C01%7CJanet.Jones%40microsoft.com%7C8f9a55de6af947ac545508d48a4014f7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636285455239419598&sdata=6sjsJP5fw6mFqt8FBKHweAemN1%2Fh%2Fd1G%2BHVVNzjpkQY%3D&reserved=0>
- [Uta] Review of draft-ietf-uta-mta-sts-04 Alexey Melnikov
- Re: [Uta] Review of draft-ietf-uta-mta-sts-04 Daniel Margolis
- Re: [Uta] Review of draft-ietf-uta-mta-sts-04 Janet Jones
- Re: [Uta] Review of draft-ietf-uta-mta-sts-04 Alexey Melnikov