Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
Nico Williams <nico@cryptonector.com> Wed, 27 February 2019 23:44 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9981311E1; Wed, 27 Feb 2019 15:44:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.514
X-Spam-Level:
X-Spam-Status: No, score=-0.514 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FAKE_REPLY_C=1.486, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mH0kIUzSyTWP; Wed, 27 Feb 2019 15:44:10 -0800 (PST)
Received: from palegreen.birch.relay.mailchannels.net (palegreen.birch.relay.mailchannels.net [23.83.209.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE1FE1311E0; Wed, 27 Feb 2019 15:44:09 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 42E58434D3; Wed, 27 Feb 2019 23:44:08 +0000 (UTC)
Received: from pdx1-sub0-mail-a75.g.dreamhost.com (unknown [100.96.28.213]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id DDB7F43501; Wed, 27 Feb 2019 23:44:07 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a75.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.3); Wed, 27 Feb 2019 23:44:08 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Lettuce-Relation: 38e725ea3e73f684_1551311048120_1336803029
X-MC-Loop-Signature: 1551311048120:3636668202
X-MC-Ingress-Time: 1551311048120
Received: from pdx1-sub0-mail-a75.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a75.g.dreamhost.com (Postfix) with ESMTP id 8765C81EA5; Wed, 27 Feb 2019 15:44:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:mime-version:content-type :in-reply-to; s=cryptonector.com; bh=OoZmDSxh7fw7mKcuRTi2Jn9QUY4 =; b=hG2Dlg3HMpZEabgchk01BcouCrYXcAEu71xbqxZ8vh6SY0MfuBq2CIdcCYe jU9Eku8LGoQAgPzHdQynTWa/dypH39VFAn3qMJ9AOxJeC9Cfdl7au7n3r8kuF0LD 3qi7ise5bdyEGwH9vOfRjWWNL8egEi9EZnvd3H2bD/fTDQ7k=
Received: from localhost (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a75.g.dreamhost.com (Postfix) with ESMTPSA id A71E481EA8; Wed, 27 Feb 2019 15:44:06 -0800 (PST)
Date: Wed, 27 Feb 2019 17:44:04 -0600
X-DH-BACKEND: pdx1-sub0-mail-a75
From: Nico Williams <nico@cryptonector.com>
To: uta@ietf.org, iesg@ietf.org
Message-ID: <20190227234403.GF4108@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <155076162945.8595.2671476533659571699.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedutddrvddvgddtlecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppeekrddvrddutdehrddujeenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpeekrddvrddutdehrddujedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/fH7nMDLdRbCdMFaAyjKi8IORV7Y>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 23:44:13 -0000
On Thu, 21 Feb 2019 07:07:09 -0800, Eric Rescorla wrote: > To elaborate on one point a bit: it seems to me that it's harmful to > security to allow the sender to unilaterally override the recipient's > preferences that something be encrypted. To forestall one argument, > yes, the sender knows the contents of the message, but the recipient > knows their own circumstances, and they may be at particular risk > [...] This is placing too strong an emphasis on security to the detriment of availability. As in all things, we have to make trade-offs, and perfection is not available to us. In particular: - Email to postmaster@domain *must* be able to flow in the face of security-related misconfiguration, full stop. And, it's not always postmaster that is the contact. The actual address of the actual postmaster can come from DNS SOA RRs, web pages, etc... If it were only postmaster@... surely you'd be amenable to exempting that. - Senders own the contents of what they send. Recipients own the contents of what they receive. Each can have different policies as to how it should be sent or received, but each also can post it on social media, newspapers, whatever. Just because one of the parties wishes something be kept confidential, there is no guarantee in the absence of legal, contractual obligations (and PGP or S/MIME, since hop-by-hop transport security might not cut it or even be available). Refusing to accept insecurely-sent messages does not ensure their confidentiality! The recipient does NOT know the sender's circumstances, and I do think the sender's trump the recipient's. HOWEVER, it is fair and *highly* desirable of the recipient to *mark* a message as received insecurely -- keeping in mind that the recipient can't force the sender to have authenticated the recipient... My idea of an ideal end-state for hop-by-hop security for e-mail is that: a) *senders* should be able to specify in the envelope that they want secure, encrypted, authenticated delivery of email at every hop, b) senders should get bounces when that cannot happen, c) *recipients* get an indication of the security of any given e-mail's path to the recipient (perhaps we need a Transmitted: header by which each sending hop MTA can record what it did to authenticate the next hop), d) (a) and (c) get prominent UI indications in MUAs, e) as explained above, *senders* get a "make it go please" button for, e.g., "hey, dear recipient, your mail system is misconfigured, I cannot send secure e-mail" type messages. Lastly, f) forward notifications of failure to meet security policy (sender's or recipient's!), subject to DoS / spam filtering, naturally. A forward notification being like a bounce, but in the other direction. The sender's address, the subject, etc., might not be disclosed -- the important thing is that the recipient should be able to discover misconfigurations and fix them. Nico --
- [Uta] Eric Rescorla's Discuss on draft-ietf-uta-s… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Jim Fenton
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Salz, Rich
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Nico Williams
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Benjamin Kaduk
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Barry Leiba
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Barry Leiba
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… John Levine
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Jim Fenton
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Jim Fenton
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Jim Fenton
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Jim Fenton
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Benjamin Kaduk
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Nico Williams
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Barry Leiba
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Nico Williams
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Alexey Melnikov
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Nico Williams
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Nico Williams
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Nico Williams
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Discuss on draft-ietf-u… Jim Fenton