Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
"Chris Newman" <chris.newman@oracle.com> Fri, 27 October 2017 20:55 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F0BD13F5A9; Fri, 27 Oct 2017 13:55:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYtyyzR6KoYX; Fri, 27 Oct 2017 13:55:09 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4262313F3F5; Fri, 27 Oct 2017 13:55:09 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v9RKt6Hn014440 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 27 Oct 2017 20:55:07 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v9RKt5rf010109 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 27 Oct 2017 20:55:06 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v9RKt5Rk006471; Fri, 27 Oct 2017 20:55:05 GMT
Received: from [10.145.239.223] (/10.145.239.223) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 27 Oct 2017 13:55:05 -0700
From: Chris Newman <chris.newman@oracle.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Keith Moore <moore@network-heretics.com>, The IESG <iesg@ietf.org>, draft-ietf-uta-email-deep@ietf.org, uta-chairs@ietf.org, Leif Johansson <leifj@sunet.se>, "uta@ietf.org" <uta@ietf.org>
Date: Fri, 27 Oct 2017 13:55:02 -0700
Message-ID: <412F718C-F4C9-427C-8D07-3561F374C804@oracle.com>
In-Reply-To: <CABcZeBPx2zS8Wr5179wkcmv-_=KeQSfCi91tb0OpSax7QbETPg@mail.gmail.com>
References: <150852235551.15416.1247335476327491501.idtracker@ietfa.amsl.com> <98fddd93-a0a8-efa3-ce2e-530449ae536c@network-heretics.com> <8B20BC5A-A60A-4A31-9345-E970B31BC2C3@oracle.com> <a67ef1d0-1637-fe48-9fb1-664ad8b3172d@network-heretics.com> <D5ED7737-D201-41A2-B24D-661D10D19EE0@oracle.com> <CABcZeBPx2zS8Wr5179wkcmv-_=KeQSfCi91tb0OpSax7QbETPg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.7r5425)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/jQi95ln06T2D2dwd0dmwttukBXE>
Subject: Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-email-deep-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 20:55:11 -0000
On 27 Oct 2017, at 11:34, Eric Rescorla wrote: > On Fri, Oct 27, 2017 at 11:03 AM, Chris Newman > <chris.newman@oracle.com> > wrote: > >> On 26 Oct 2017, at 19:56, Keith Moore wrote: >> >>> On 10/26/2017 07:18 PM, Chris Newman wrote: >>> >>> Line 304 >>>>>> preference to services supporting STARTTLS (if offered). >>>>>> (See >>>>>> also Section 4.5.) >>>>>> I note that 6186 is kind of unclear on what should go in SNI. It >>>>>> obviously >>>>>> needs to be what you are checking against (which 6186 gets right) >>>>>> but >>>>>> maybe >>>>>> it's worth clarifying in this document somewhere. >>>>>> >>>>> Hmm. I might need to come back to that one. Lots of layers to >>>>> sift >>>>> through. Feel free to suggest text. >>>>> >>>> >>>> I believe RFC 7817 handles this issue sufficiently. >>>> >>> >>> Not sure whether EKR was referring specifically to the use of SNI >>> with >>> SRV records or not, but that's what I had assumed he meant. So far >>> I >>> haven't found any specific advice for (a) what name the MUA should >>> specify >>> in SNI, or (b) what names the server should recognize and have >>> certificates >>> for. It's pretty clear that the server needs to have a certificate >>> for >>> the name on the right hand side of the SRV record, but should it >>> also have >>> a certificate for the name on the left hand side? (e.g. _pop3s._ >>> tcp.example.com?) That would potentially make SRV discovery more >>> secure. >>> >>> But I think that's well beyond what the WG (and IESG) approved. So >>> I >>> guess I'm inclined to leave the -10 text as it is now without >>> specifically >>> addressing this issue. >>> >> >> I just re-read the related text a bit more carefully. Although RFC >> 7817 >> adequately covers what subjectAltName identities mail servers need to >> support in certificates, it doesn't cover what goes in SNI (although >> it >> mentions SNI). Ditto for RFC 6186. This is annoying; the issue really >> should have been addressed in 7817 or 6125 :-( >> >> I suspect in practice that most MUAs use the post-SRV-lookup hostname >> in >> TLS SNI. And server support for that name form in SNI will be >> necessary to >> interoperate with MUAs that don't support RFC 6186 (or use an >> alternative >> autodiscovery mechanism in preference to RFC 6186). So the remaining >> question is would it be useful/helpful for a server to also support >> an SNI >> based on the SRV record or SRV-ID name? I don't think the answer to >> that >> question is important enough to justify a normative change to this >> document. >> >> To address this, I suggest we add a sentence to the end of section >> 4.4 >> (just before the sentence referencing 7817): >> >> -- >> Mail servers supporting SNI need to support the post-SRV hostname to >> interoperate with MUAs that have not implemented RFC 6186. >> -- > > So to be clear, what you are saying is that when I enter > "mail.example.com" > but it's hosted on "mailhosting.com", and that indirection is done via > SRV, > that the certificate contains "mail.example.com" but the SNI contains > " > mailhosting.com"? Partly correct, but insufficient to support MUAs that don't implement RFC 6186 (which is presently the majority of MUAs). If a mail hosting company wants to use SNI to host multiple domains, it has two naming approaches for non-6186 customers: 1. customer1.mailhosting.example, customer2.mailhosting.example 2. or customer1.example, customer2.example (these names can point to the same IP addresses) These names will be used both for SNI and as the DNS-ID in the certificate. If the site chooses to support RFC 6186, then RFC 7817 requires the certificates have an SRV-ID _in addition to_ the DNS-ID (and 6186 clients are required to check the SRV-ID). So I think my proposed additional statement in combination with the requirements in RFC 7817 is sufficient to clarify what goes in SNI and to define secure use of RFC 6186 discovery. - Chris > -Ekr > > I view that as a statement of fact rather than a normative change so I >> think it's kosher. Saying more on the topic would probably cross the >> normative change line so I'd prefer not to go there. >> >> - Chris >>
- [Uta] Eric Rescorla's Yes on draft-ietf-uta-email… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Alexey Melnikov
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Eric Rescorla
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Keith Moore
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Chris Newman
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Viktor Dukhovni
- Re: [Uta] Eric Rescorla's Yes on draft-ietf-uta-e… Alexey Melnikov