IETF Logo Mail Archive

Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt

John Levine <johnl@taugh.com> Thu, 23 June 2022 21:33 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A02C15A72B for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 14:33:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.86
X-Spam-Level:
X-Spam-Status: No, score=-6.86 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=dbOWcGUh; dkim=pass (2048-bit key) header.d=taugh.com header.b=a020ZuLU
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEewyYIloQRo for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 14:33:35 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8E0BC15A72A for <uta@ietf.org>; Thu, 23 Jun 2022 14:33:35 -0700 (PDT)
Received: (qmail 44790 invoked from network); 23 Jun 2022 21:33:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=aef3.62b4dc2d.k2206; bh=hTQdudhJxnqTdkCxo8EhHvLK/2IgGohyKYPaPwFEgMY=; b=dbOWcGUh6eGsZSOp+e/BCyIlMuwvB0csFPFspF1k7Zy8WSjqnSFcETOtfa32PHa+ozujAetM+NgsTGzHZYAK8cEtDduFR/cpnDauL4NczF2RgQ+j59ENtLJ39qBZ+QPrnl+b0/PdgEDc/nGOWdgbJch/v6UpFaWIsJUkKTXc1ed19G9XrUkooOjHV7bKf3jJsjGBSibCODB6YHqYvQsYkZw/gLmW+Tj+o/4Ms7/j/RhrledhNvcsS102Io81vLucUdhquHU5rfthmiJg61rOqOA2tSAjtCv5q2r8qAkn9SKy3N/mHgdHDRjZEvGuRF9Oo/bUuNAo6DaIJEA3aR3Dmw==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=aef3.62b4dc2d.k2206; bh=hTQdudhJxnqTdkCxo8EhHvLK/2IgGohyKYPaPwFEgMY=; b=a020ZuLU2b87yrjcSFFQ0lZQ0L7HIZz6ap4IymgW5L8VWBv0dgWlHEgZO0Cz+YKTOt1uN/FQDNbCAijRM0tSGOMb5QFFE/OWQTkc5cnZnJnoxWOC3GTv93CiOPaGLfWZvy3Jf1bqHf4Mrv5vHjTanA1tvBVaNrQv/vSnIeVIZnz0edHB3LtdorRm09SqriIQPDYosC/9L3nb2mfoDY/7KcaEPzuBOqtQfl8aUGEbZVplfCncZXCzOvfay1HfACCXnT/fKED6XFANI6XdrckwrrGdv+tV/cn27V3xKpuUfDpLS7E0fdF7yIuAIuIuLb6LxwICr38SEGIU+7a/K7mdiQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 23 Jun 2022 21:33:33 -0000
Received: by ary.qy (Postfix, from userid 501) id B9E54442A79F; Thu, 23 Jun 2022 17:33:32 -0400 (EDT)
Date: Thu, 23 Jun 2022 17:33:32 -0400
Message-Id: <20220623213332.B9E54442A79F@ary.qy>
From: John Levine <johnl@taugh.com>
To: uta@ietf.org
In-Reply-To: <YrTRbIMW2OatWZYO@straasha.imrryr.org>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/mrSbgFiSKRJJNvRriaxsEYftNgs>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 21:33:40 -0000

It appears that Viktor Dukhovni  <uta@ietf.org> said:
>On Thu, Jun 23, 2022 at 01:42:46PM -0400, John R Levine wrote:
>
>> Among the reasons that DANE in e-mail is less common is that it is tricky. 
>
>DANE is only "tricky" when you're trying to integrate TLSA record
>updates with ACME cert rollovers and don't configure key reuse.

Kind of. I use the same key for all of the certs for the many names
that each of my mail servers have so I have one TLSA record and a lot
of CNAMEs. That's probably bad practice for some reason but whatever.

One tricky part is setting things up, ensuring that you know all the
names the server has and that the certs are all issued and the TLSA or
CNAME installed. The other tricky part is automating the renewals
which requires either DNS API access or a hack with a web server with
the same name as each mail server name. Neither is horribly difficult
but they're things mail operators haven't had to do in the past.

R's,
John

v2.23.0 | Report a Bug | By Email