IETF Logo Mail Archive

Re: [Uta] REQUIRETLS: another SMTP TLS mechanism

Jeremy Harris <jgh@wizmail.org> Fri, 25 March 2016 13:45 UTC

Return-Path: <jgh@wizmail.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC9EA12D9F2 for <uta@ietfa.amsl.com>; Fri, 25 Mar 2016 06:45:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qj4XsZw2EHsY for <uta@ietfa.amsl.com>; Fri, 25 Mar 2016 06:45:53 -0700 (PDT)
Received: from wizmail.org (wizmail.org [IPv6:2a00:1940:107::2:0:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79BFE12D9EB for <uta@ietf.org>; Fri, 25 Mar 2016 06:45:51 -0700 (PDT)
Received: from test.vpn.wizint.net ([217.146.107.71] helo=lap.dom.ain) from_AS 16353 by wizmail.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86) id 1ajS3h-0003Jp-Ou for uta@ietf.org (return-path <jgh@wizmail.org>); Fri, 25 Mar 2016 13:45:49 +0000
To: uta@ietf.org
References: <56F49E9B.2090403@bluepopcorn.net> <79BB5D4B-A939-42F0-9F3D-3F9E59BC4668@azet.org>
From: Jeremy Harris <jgh@wizmail.org>
Message-ID: <56F5410C.8060906@wizmail.org>
Date: Fri, 25 Mar 2016 13:45:48 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <79BB5D4B-A939-42F0-9F3D-3F9E59BC4668@azet.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Pcms-Received-Sender: test.vpn.wizint.net ([217.146.107.71] helo=lap.dom.ain) with esmtpsa
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/pA40vUstQ4lifSz1NqNe_8HaNAI>
Subject: Re: [Uta] REQUIRETLS: another SMTP TLS mechanism
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 13:45:55 -0000

On 25/03/16 12:09, Aaron Zauner wrote:
>> On 25 Mar 2016, at 03:12, Jim Fenton <fenton@bluepopcorn.net> wrote:
>> REQUIRETLS is an SMTP service extension that allows an SMTP client to
>> specify (via a MAIL FROM option) that a given message must be sent over
>> a TLS protected session with specified security characteristics. Options
>> allow the specification of allowable methods of server certificate
>> verification, including web-PKI and DANE. In advertising its support for
>> REQUIRETLS, the SMTP server is promising to honor that requirement.

> This sounds very similar to what DEEP is trying to achieve, can you highlight important differences?

As I read them:

REQUIRETLS covers an entire chain of to-MTA hops (by requiring not only
TLS but also REQUIRETLS on a forwarding hop, or bounce).  It would
presumably cover the MUA-MSA hop (as DEEP does) when SMTP was used
there.  It SHOULD's secure access by the destination MUA (though that
will be hard, in many implementations, as it requires implementation
in a separate lump of software).  It works on a per-message basis.

DEEP talks in terms of per-mail-account configuration.  It deals with
both submission and access,  It talks about UI presentation of
security status.  It does not cover beyond the MSA or MDA.

-- 
Cheers,
  Jeremy

v2.23.0 | Report a Bug | By Email