IETF Logo Mail Archive

Re: [Uta] draft-moore-smtp-addrquery

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 04 August 2015 23:58 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B391B29AE for <uta@ietfa.amsl.com>; Tue, 4 Aug 2015 16:58:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdddeKjScvow for <uta@ietfa.amsl.com>; Tue, 4 Aug 2015 16:58:25 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 208211A8A6E for <uta@ietf.org>; Tue, 4 Aug 2015 16:58:25 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 24D03F984; Tue, 4 Aug 2015 19:58:23 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8A66B2010F; Wed, 5 Aug 2015 01:58:13 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Keith Moore <moore@network-heretics.com>, uta@ietf.org
In-Reply-To: <55AE727F.4070007@network-heretics.com>
References: <55AE727F.4070007@network-heretics.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Tue, 04 Aug 2015 19:58:10 -0400
Message-ID: <87si7y38tp.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/eeT7emeHXsSBE1xE1Z6gULxOHKE>
Subject: Re: [Uta] draft-moore-smtp-addrquery
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 23:58:27 -0000

On Tue 2015-07-21 12:25:35 -0400, Keith Moore wrote:
> Of possible interest to this WG, or to the members of this WG, is 
> draft-moore-smtp-addrquery-01
> Basically this is an extension to SMTP to allow mail exchangers to be 
> queried for information about the email addresses for which they accept 
> mail.
> Such information could include public keys.
> TLS is required by this extension and is used to authenticate the responses.
>
> Chris (my co-author) and I would appreciate feedback on this.
>
> https://tools.ietf.org/html/draft-moore-email-addrquery-01

I think this is a great start at a key discovery protocol that minimizes
metadata leakage.  I note that a key discovery protocol does not need to
also be a key validation protocol.

The communications model in the draft supports this flow:

 MUA <--> MSA <--> MX

since this is already the same communications model required for message
delivery, it is good for metadata minimization to piggypack on the same
channels for key discovery.

I think the arguments between Keith and Viktor about trusting the MSA or
not have to do with how we expect an MUA to validate the keys retrieved
by this mechanism.  I would prefer to decouple that validation from the
discovery mechanism itself.

It's possible to discover a key/certificate for correspondent X that you
decide is unusable.  That's an OK outcome, and one this draft should
accomodate.  But i don't think that a user of this draft should have to
assume that any key/cert discovered by this protocol is necessarily
valid for the target e-mail address.

I've asked a couple other mail-interested folks about this, and one
suggestion i got back was that MXs supporting this draft should also use
TLS-wrapped SMTP on port 465.  While port 25 is blocked outbound for
most users today, TLS-wrapped SMTP on 465 is not as widely blocked, so
this suggestion might make direct MUA <--> MX queries more feasible.
That said, direct MUA <--> MX queries potentially leak more metadata
than MUA <--> MSA <--> MX queries (in particular, (a) the MX learns the
IP address of the MUA in the former workflow, and (b) a popular MSA in
the latter workflow acts as a sort of low-latency mixing proxy).

I'd very much like to see something like this draft progress.  If i can
help, please let me know.

      --dkg

v2.23.0 | Report a Bug | By Email