Re: [Uta] New proposal: SMTP Strict Transport Security
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 22 March 2016 16:10 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C468B12DACE for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 09:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lVnD0xdXH9Fz for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 09:10:02 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B986512DA8B for <uta@ietf.org>; Tue, 22 Mar 2016 09:09:34 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C0DAD284F45; Tue, 22 Mar 2016 16:09:33 +0000 (UTC)
Date: Tue, 22 Mar 2016 16:09:33 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20160322160933.GG6602@mournblade.imrryr.org>
References: <CAB0W=GS2PXF-divC+SNs+A-jH1-_BBA889-TbQXHvrVsrbKLEA@mail.gmail.com> <CAB0W=GSQ4oTLT+qepMi7Pj5=UmBD70D_uW7c193RY-gw818ORA@mail.gmail.com> <CAB0W=GRB_6LhqEGYzeYq-srnM99wqwZrdjUEm=vJ7+oFiKbYoA@mail.gmail.com> <CAB0W=GTGja5JtxGuCzhD6O3B2Ow-wLN-B6WQ8XUDyvQRqdFZxw@mail.gmail.com> <20160322063527.GD6602@mournblade.imrryr.org> <CANtKdUeh8LV1uaWAyRqQ2ou4pdTNvKgzuJ5kKsQLwPFORqrDQA@mail.gmail.com> <20160322084859.GF6602@mournblade.imrryr.org> <D31BCFDF-5926-413A-8624-26B65F741A75@noware.co.uk> <CANtKdUdLiLDE5s2Exj4eh+o1Fob2-bDXWCpJM87mHKBa+aQkYQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANtKdUdLiLDE5s2Exj4eh+o1Fob2-bDXWCpJM87mHKBa+aQkYQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/lSmVQdN5fDcMsndhXm6wiXtl__k>
Subject: Re: [Uta] New proposal: SMTP Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 16:10:03 -0000
On Tue, Mar 22, 2016 at 11:10:57AM +0100, Daniel Margolis wrote: > Thanks for the feedback to both of you. I don't disagree; I think Viktor > makes a very solid point in favor of simplicity. In addition, a report-only > protocol could be extended to support arbitrary error reporting; an > out-of-band (e.g. HTTP) channel to share delivery failures between domains > strikes me as useful in the general case. > > Separately, because we're already assuming providers (both sending and > receiving) make a choice on implementing DANE and/or webPKI, I don't think > actually splitting the two makes it any more or less complex to implement, > or should discourage adoption of one or the other mechanism. > > So I would say I'm feeling a bit in favor of Viktor's suggestion, but I'd > like to chat a bit more with my co-authors and think about it first. ;) Great. One more question. I see that there are parallel non-overlapping threads on this proposal on tha UTA and IETF-SMTP lists. Is either the "primary" forum for discussing this proposal? Should people be encouraged to cross-post? Should the IETF-SMTP users who want to discuss it be encouraged to shift the discussion here? > Viktor, as an aside regarding the hosted mail scenario, we already had the > suggestion to move the HTTPS endpoint to something like "_ > smtp_sts.example.com/current". If we do that, the customer (example.com) > can make this a CNAME for "_smtp_sts.hostingdomain.com", who can use SNI to > serve the policy with the customer's cert (assuming the customer trusts the > hosting provider with this; for domains that don't operate their own HTTPS > endpoint this seems to me to be likely). For the more complex case, the > cron setup you describe doesn't seem too onerous, I agree. Prepending a fixed sub-domain label is fine as an extra bit of rope to support various forms of indirection. -- Viktor.
- [Uta] New proposal: SMTP Strict Transport Security Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Neil Cook
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- [Uta] SMTP Strict Transport Security - reporting Alexey Melnikov
- Re: [Uta] SMTP Strict Transport Security - report… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] SMTP Strict Transport Security - report… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Alexey Melnikov
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jim Fenton
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Chris Newman
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Mark Risher
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Binu Ramakrishnan
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Jeremy Harris
- Re: [Uta] New proposal: SMTP Strict Transport Sec… ned+uta
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… John Levine
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… David Schweikert
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Viktor Dukhovni
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Daniel Margolis
- Re: [Uta] New proposal: SMTP Strict Transport Sec… Aaron Zauner