IETF Logo Mail Archive

Re: [Uta] Call for draft-ietf-uta-email-tls-certs-01 reviews

Alexey Melnikov <alexey.melnikov@isode.com> Mon, 23 March 2015 18:33 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BA8B1AD0CB for <uta@ietfa.amsl.com>; Mon, 23 Mar 2015 11:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o4pr2WQMTn-e for <uta@ietfa.amsl.com>; Mon, 23 Mar 2015 11:32:57 -0700 (PDT)
Received: from waldorf.isode.com (ext-bt.isode.com [217.34.220.158]) by ietfa.amsl.com (Postfix) with ESMTP id 8E4521AD082 for <uta@ietf.org>; Mon, 23 Mar 2015 11:32:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1427135576; d=isode.com; s=selector; i=@isode.com; bh=IKLNG0exHfyeylIwsJmtZwCl9YfwMxth6PMyAFUo/hU=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=qCyA3PoMwcoKWknQ8q4kY9Zf7QM+PyEhuMmPBruHmHSsDn1uInikwpn6vWbCxBLWlYkalo Vcro6jlts6Cci5Jmvbth1bvafS2mkmGGOx9zBbNkD7Z9E6w9GtZEVfIPGRMXAO+ClWmKJo 69eEUGez+q/ICIoJ1eaKW+GdEyBGios=;
Received: from [31.133.180.73] (dhcp-b449.meeting.ietf.org [31.133.180.73]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <VRBcVgBodbvM@waldorf.isode.com>; Mon, 23 Mar 2015 18:32:55 +0000
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <55105C56.3090904@isode.com>
Date: Mon, 23 Mar 2015 18:32:54 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
To: uta@ietf.org
References: <550AADA5.5050803@sunet.se> <20150321073825.GD9387@mournblade.imrryr.org>
In-Reply-To: <20150321073825.GD9387@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/enn7-sEKM133QYyczzwCwKJOSqY>
Cc: Viktor Dukhovni <ietf-dane@dukhovni.org>
Subject: Re: [Uta] Call for draft-ietf-uta-email-tls-certs-01 reviews
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 18:33:02 -0000

On 21/03/2015 07:38, Viktor Dukhovni wrote:
  [...]
> Below is a proposal to expand the scope to cover use of email
> certificates (still other than MTA-to-MTA) with DANE.
>
> Since the DANE SRV draft is almost ready for IETF LC, I think it is
> reasonable to also discuss the use-case for DNSSEC/DANE validated
> indirection:
>
> 	_imaps._tcp.example.com. IN SRV 0 0 993 mail.example.com.
> 	_993._tcp.mail.example.com. IN TLSA 3 1 1 <ee-digest>
> 	_993._tcp.mail.example.com. IN TLSA 2 0 1 <ta-digest>
>
> 	https://tools.ietf.org/html/draft-ietf-dane-srv-11
>
> When an IMAP or submission client locates the service endpoint via
> SRV records (as described in RFC 6186), and said clients supports
> DNSSEC and DANE, an alternative to the use of SRV-ID reference
> identifiers at the service domain is to use DNSSEC to authenticate
> the redirection and DANE to authenticate the certificate of the
> target host.
>
> When the DANE usage is not DANE-EE(3) (which ignores any names in
> the certificate) the domain part of the reference identifier in
> that case would be as described in the DANE SRV draft.  This could
> be with or without the corresponding service prefix.
>
> Such servers would then be authenticated via any of:
>
>      * Standard PKIX CA validation with name checks per this
>        draft.
>
>      * A DANE-EE(3) match of the certificate or key blob with
>        TLSA base domains per the SRV draft.
>
>      * Any other DANE usage with the same name checks as in
>        the draft.
>
>      * Any other DANE usage with the TLSA base domain rather
>        than the service domain as the domain part of the reference
>        identifier, with or without an _service prefix.
>
> There is also a use-case for DANE without SRV indirection.  In
> which case, the service domain is typically the TLSA base domain,
> except as modified by DNSSEC-validated CNAME chasing with TLSA
> records located at the end of the CNAME chain.
>
>      https://tools.ietf.org/html/draft-ietf-dane-ops-07
>
> See also
>
>      http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-15#section-7
>      http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-15#section-3.1.3
>
> that may relevant for clients that use DNS for service discovery
> and potentially employ TLS "opportunistically" based on whether
> TLS-capable services are located.  Such clients should probably
> limit their DANE usages to DANE-TA(2) and DANE-EE(3).
>
I would like to be able to use DANE for verifying DNS SRVs, but the 
scope of this document is to try use existing primitives and not trying 
to tie this to DANE/DNSSEC deployments.
I would be happy to work later on an updated document that includes this 
though.

I would again ask other people to weight in on this.

v2.23.0 | Report a Bug | By Email