Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
Binu Ramakrishnan <prbinu@yahoo.com> Thu, 05 May 2016 17:18 UTC
Return-Path: <prbinu@yahoo.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEDEF12D798 for <uta@ietfa.amsl.com>; Thu, 5 May 2016 10:18:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.715
X-Spam-Level:
X-Spam-Status: No, score=-3.715 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YUR9X9cf7XVh for <uta@ietfa.amsl.com>; Thu, 5 May 2016 10:18:21 -0700 (PDT)
Received: from nm7-vm9.bullet.mail.sg3.yahoo.com (nm7-vm9.bullet.mail.sg3.yahoo.com [106.10.148.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E091112D78B for <uta@ietf.org>; Thu, 5 May 2016 10:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1462468698; bh=nK6VfxmVbWHZuWvEEz2vd72yM6PMpeX9zYtOko7xmYY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=tL84TbjcALQBdGJwSjiqMDEa8sVArv8D8PgNe1pfO39cK/4pZJ63CieFf2Wcj5YvrjGoHbE2OMSar6RBGzn5PTR3X/8pLr0hVYUC0SUDtWcm6TKzOjvhMqLtj7Z+zZTSItcMzO+AlmjgFjZoTBovu5wNYSto0pviGxnwSmg5nvDBLL6I4wzv4BPNSNwA2Ln30S7oqebcLFCL6w7T2W29+KkKeermBreUTviS7Jh3gML8jwNPpNy+LsEux1KKHKIJan4SxcadH7rtJ26VoF8EX81+VZS6tfdbPscLpeOHND0YpWMgUJrJ+qiE8ldl/iZVWNPWbFmF/qeuMRGSVpk53g==
Received: from [106.10.166.122] by nm7.bullet.mail.sg3.yahoo.com with NNFMP; 05 May 2016 17:18:18 -0000
Received: from [106.10.150.25] by tm11.bullet.mail.sg3.yahoo.com with NNFMP; 05 May 2016 17:18:18 -0000
Received: from [127.0.0.1] by omp1026.mail.sg3.yahoo.com with NNFMP; 05 May 2016 17:18:18 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 758208.27989.bm@omp1026.mail.sg3.yahoo.com
X-YMail-OSG: AoNfBssVM1n5ArWlPya3qhlYqkZ1xbM4f7BDNK5xF5M5s7S2tChpW5OUw5ZS4Pd 8rOiFyhSNkSK3j2mBADXr6tgcfLUjq0_FpuMRVxdZB_AE_i6rsOQpz2qVWyEuu_QLkne1tOaFYIj k273.voRjRWE12Umljpea.AJ7DUgbTkfgZw3oGMJ9CeKE0s27Kf4lHt79IzmOAOqreEzIZzy.XUa K8YH2pEmW_pSOB1fl6J8ie3jjeQycycmB1YkKvuZ5AGthcruWxMpshJMqZMV3EKvKOisC7pOCZBi vNTehViFhL16oV4yBZiBFyNu5iIaZtYdCOAK3UEmGg7GQew2PT1cIJs6o_nzzrTquTypFHatReDy qJpVmYIr8cWfz.iYd.WXNZTfnNpK8tXbA72FssQKG1dz3gryDm_VVBHhUxMPmY.Pvo4HF8waWpNg VlwpMG4jCZNCXvLLAyR9At4xAuK.T2CJsZpUlMbR6KZkB2R6xkT7fTS6KZOVWOA_Q.mjzUQs3j72 mfzfDIOhu_B5NczA6aZ53Sfo.Tg--
Received: from jws10954.mail.sg3.yahoo.com by sendmailws117.mail.sg3.yahoo.com; Thu, 05 May 2016 17:18:18 +0000; 1462468698.304
Date: Thu, 05 May 2016 17:18:17 +0000
From: Binu Ramakrishnan <prbinu@yahoo.com>
To: Aaron Zauner <azet@azet.org>, John R Levine <johnl@taugh.com>
Message-ID: <2032821667.5787634.1462468697895.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <5CAA2C26-D339-4BFE-8328-0B33E3652025@azet.org>
References: <5CAA2C26-D339-4BFE-8328-0B33E3652025@azet.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_5787633_1379874040.1462468697889"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/e6qiRCSkcHMOxa92nlDP4EyZu7o>
Cc: "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Binu Ramakrishnan <prbinu@yahoo.com>
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 17:18:24 -0000
DMARC is a mechanism to fight against mail related abuse (eg. spam emails). And for that matter it is sufficient to keep DMARC/DKIM/SPF records in DNS. In the case of STS, the threats we are considering is quite different from DMARC. It is because of the same reason we are not sticking policy in DNS (with no DNSSEC). So to answer the question, it is ok to send DMARC over email assuming the recipients can be reached over email. But in the case of STS, a failure means the sender is unable to verify the recipient - hence that channel is not trusted. In such cases HTTPS is preferred over mailto:.
thanks,-binu
From: Aaron Zauner <azet@azet.org>
To: John R Levine <johnl@taugh.com>
Cc: uta@ietf.org
Sent: Thursday, 5 May 2016 9:17 AM
Subject: Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
> On 05 May 2016, at 22:04, John R Levine <johnl@taugh.com> wrote:
>
>>> People have beens mailing around vast numbers of DMARC reports, most
>>> of which have an application/gzip body. If there have been attacks
>>> using DEFLATE bugs, nobody's gotten around to reporting them.
>>
>> I'm not much worried about attacks on DEFLATE and SMTP traffic. But as I understand from the draft, there's also an option to report back via HTTPS. Here DEFLATE may become a security issue.
>
> I don't see why. HTTP has had gzip encoding since http/1.0 twenty years ago, but I only defined application/gzip for mail in 2012. Your browser probably decodes deflated pages dozens of times a day.
Exactly. And this is an open security issue today. It's the reason why people needed to come up with 'first party cookies'.
https://github.com/dionyziz/rupture
> Also, remember the DMARC experience, that in practice nobody is interested in http reports if they can send mail. You might ask around and see if you can find anyone who would send http reports if they had the option to do so. I implemented the http option from the DMARC draft (sort of, given that the draft language was a mess) and the number of attempts I saw was zero.
I think STS is quite different from DMARC if many respects, but I'm interested in the authors opinions on that - would they prefer mail delivery or https? does it depend on deployment/hosting environment etc.
Aaron
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
- Re: [Uta] draft-brotman-mta-sts/ Stephen Farrell
- Re: [Uta] draft-brotman-smtp-tlsrpt Viktor Dukhovni
- [Uta] Updated SMTP STS Draft Brotman, Alexander
- Re: [Uta] Updated SMTP STS Draft Leif Johansson
- Re: [Uta] Updated SMTP STS Draft Leif Johansson
- Re: [Uta] Updated SMTP STS Draft Mark Risher
- Re: [Uta] Updated SMTP STS Draft Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] draft-brotman-smtp-tlsrpt Brotman, Alexander
- Re: [Uta] Updated SMTP STS Draft Aaron Zauner
- Re: [Uta] Updated SMTP STS Draft John Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] Updated SMTP STS Draft Jim Fenton
- Re: [Uta] Updated SMTP STS Draft John Levine
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] Updated SMTP STS Draft Daniel Margolis
- Re: [Uta] draft-brotman-smtp-tlsrpt John Levine
- Re: [Uta] draft-brotman-mta-sts/ John R Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-smtp-tlsrpt Viktor Dukhovni
- Re: [Uta] draft-brotman-smtp-tlsrpt John Levine
- Re: [Uta] draft-brotman-mta-sts/ Brotman, Alexander
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Neil Cook
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ ned+uta
- Re: [Uta] Updated SMTP STS Draft Leif Johansson
- Re: [Uta] Updated SMTP STS Draft John Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Mark Risher
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John R Levine
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] draft-brotman-mta-sts/ Binu Ramakrishnan
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] Updated SMTP STS Draft Mark Risher
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ Daniel Margolis
- Re: [Uta] draft-brotman-mta-sts/ Viktor Dukhovni
- Re: [Uta] draft-brotman-mta-sts/ Mark Risher
- [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS D… Chris Newman
- Re: [Uta] draft-brotman-mta-sts/ John Levine
- Re: [Uta] special hostnames, was draft-brotman-mt… John Levine
- Re: [Uta] special hostnames, was draft-brotman-mt… Viktor Dukhovni
- Re: [Uta] special hostnames, was draft-brotman-mt… John Levine
- Re: [Uta] special hostnames, was draft-brotman-mt… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] Updated SMTP STS Draft Alexey Melnikov
- Re: [Uta] draft-brotman-smtp-tlsrpt Leif Johansson
- Re: [Uta] draft-brotman-smtp-tlsrpt Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] draft-brotman-smtp-tlsrpt Kurt Andersen (b)
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] draft-brotman-smtp-tlsrpt Orit Levin
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Binu Ramakrishnan
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Daniel Margolis
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John R Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Orit Levin
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Orit Levin
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… John Levine
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Daniel Margolis
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Daniel Margolis
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Neil Cook
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Chris Newman
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Daniel Margolis
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Chris Newman
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] DNSSEC or the lack thereof, was reporti… John Levine
- Re: [Uta] DNSSEC or the lack thereof, was reporti… Viktor Dukhovni
- Re: [Uta] DNSSEC or the lack thereof, was reporti… John Levine
- Re: [Uta] DNSSEC or the lack thereof, was reporti… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Jim Fenton
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Viktor Dukhovni
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… John R Levine
- Re: [Uta] reporting, was CBOR, XML, JSON (was Re:… Aaron Zauner
- Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP S… Sean Leonard