Re: [Uta] back to smtp-sts-04
Daniel Margolis <dmargolis@google.com> Sun, 23 April 2017 12:43 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF4612941A for <uta@ietfa.amsl.com>; Sun, 23 Apr 2017 05:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLPzwbbKS3vF for <uta@ietfa.amsl.com>; Sun, 23 Apr 2017 05:42:59 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC2851270A0 for <uta@ietf.org>; Sun, 23 Apr 2017 05:42:58 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id r16so151255437ioi.2 for <uta@ietf.org>; Sun, 23 Apr 2017 05:42:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=LKizw3XwtXt6Yl+yzeX3CqGsvbYSwWJGSyAVntgsu3s=; b=dqtswlywsB0+c6rfn+gBtXsZoYnToGR6QrP3J3ZCjGfPmJg7ZHMSnfKCIMo4yuyaCc DxRX+mbCd71fcV55ePr+zC4snhMaAj4zmQvWIS/5te/CWZ5buMMpseEVKZGXBUCYuswz Mgt3v79r/0Z4UgHGodupVHQwBK9SEKUH1jGtc3CMfNkHLdJH1Ct6zwfiRoBXIvxuPfUP r3Ia6XUgaxPpDUXyRCnkoIFXtQcwdOPOZ+DV0s5LrL6PQxcaIDCND1a5miHC2uyDYEwu TJzNpWKo6oEq9vow4Dybv0WDENaLY/Gc4/KniFjEvpITMFGc+Dh1sFVHTvVh6VsQld5g eiLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=LKizw3XwtXt6Yl+yzeX3CqGsvbYSwWJGSyAVntgsu3s=; b=IW1fshOOwJChaWGDmWPvIsMNLxBZJ7Frk507vjd9ErVQsttdpXYorTd1/OPu2OY2sM 94MXIDA6kkbMNGrcr+JHVfIUs3kSCIUzXhUxqqvHTsSz5aXw0qNT/w9EcoSy6+1lWPk7 sbRPO86NytqxNoU1SnCg1Ibz68Q7Yq1NrFsxJ6Nbzo8yWwMrWxkX3c6x95ioCKbqNtmb WwZthDYhAV1lplGlXeefg1osEuGI00zXQr7CYXEU5hpwyiNFVschncZK2RDoc23qkwPl kA3ZhNruBpJXBKbv16ueJSN6XAeWDCX4EKJ6slAyXFwYAWIiK8LHb4aq7vPnRW6ZaXEg YI3w==
X-Gm-Message-State: AN3rC/7B0rB+gJvYMFQ85LudvbPSTh8HaJJBmiqus6wpQFebckc7vbf2 RrH7Zl/0SHNS/M5SGazdv86bBEGeUASjPjU=
X-Received: by 10.107.6.134 with SMTP id f6mr1470218ioi.96.1492951377408; Sun, 23 Apr 2017 05:42:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.111.11 with HTTP; Sun, 23 Apr 2017 05:42:56 -0700 (PDT)
In-Reply-To: <B8600601-9344-427A-B159-B57E982F3BAF@dukhovni.org>
References: <52dde16a-a3bb-5844-7daa-a349def85049@wizmail.org> <80676A32-78CB-4FFA-AEE4-94DA95102B98@dukhovni.org> <a2a6e5f5-ff3b-272b-abda-b49fe23a485d@wizmail.org> <605FE793-3D82-4C4F-9F93-D50DF4320DF5@dukhovni.org> <9402ac0a4990432f994656ddaf94b9e2@COPDCEX19.cable.comcast.com> <CE55E42E-9845-46A6-B0AA-F56CE56F2936@dukhovni.org> <CANtKdUevHbQaUga2=X0tFy4K=po=DL=pKUn-2KZQgRUPTtYAig@mail.gmail.com> <B8600601-9344-427A-B159-B57E982F3BAF@dukhovni.org>
From: Daniel Margolis <dmargolis@google.com>
Date: Sun, 23 Apr 2017 14:42:56 +0200
Message-ID: <CANtKdUdKmOisdh1j_cFuJ=VCyxJBH-GMWW4DAowC2KZjCFUk1A@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a113ee09c8ea256054dd4d4f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/pUa7RMSaxkuP5_vhL1kS98kR2xE>
Subject: Re: [Uta] back to smtp-sts-04
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2017 12:43:01 -0000
On Sun, Apr 23, 2017 at 4:50 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > > > >> Speaking of the policy, what should be done if the HTTPS policy > >> contains multiple JSON objects, no JSON objects, or broken JSON? > > > > "If a valid TXT record is found but no policy can be fetched via > > HTTPS, and there is no valid (non-expired) previously-cached policy, > > senders MUST treat the recipient domain as one that has not > > implemented MTA-STS." > > > > If you can't parse it, it's not a valid policy, so you fall back to > cached-non-expired or none. > > Same as if there's an HTTP timeout, an HTTPS cert validation error, etc. > > Getting an authenticated invalid policy seems rather different from failure > to retrieve the policy. The latter is obviously a temporary condition and > one can stick with what's cached. On the other hand when an authentic > policy > fails to parse, it seems clear whatever we had in the cache is no longer > the > current policy. So what is the right course of action is not so clear. > It's not clear, to be sure, but any other strategy is complex. If we can't parse the new policy, do we assume a misconfiguration and fail open? It's a corner case where the most predictable behavior, to me, would be to ignore new policies which are unparseable. I think predictability here is a virtue. Of course, my intuition about expected behavior may be wrong. But if I'm correct on what's "predictable", overriding that intuition with explicitly specified behavior (like, "unparseable policies should be taken as a sign that the recipient domain is confused and has opted out of STS, despite any valid cached policy") seems not desirable to me, unless the risks are very high. > >> How does a domain get rid of its STS policy? I thought we had discussed > >> using "max_age = 0" for this, which after being in place long enough to > >> assure that all previously cached policies have expired can be removed. > >> Or might just "404" suffice > > > > Yes, I remember discussing this. But I am not sure such a mechanism is > needed. > > I rather think it is needed. When a domain changes hands, or no longer > wishes > to deal with the hassles of certificate expiration, it must be possible to > revoke the policy. > > > 1. Domains can publish a "report" policy (with or without a TLSRPT > record!) > > with a low expiration > > What happens when that expires? It is again found and refreshed unless > there's > a way to ultimate say "no policy". > Sure, but as I explained, given *any *hypothetical "opt-out" mechanism, it is theoretically not possible to design one which you do not have to keep publishing until $time_you_last_had_a_different_policy + $that_policy's_max_age has passed. (Since I'm referring to this time below, let's call it "old policy expiration time.") In other words, publishing a report-only policy with a low expiration is just as good as publishing an "opt out" policy, in the sense that in the former case you have to publish the report-only up until the old policy has expired everywhere, and in the latter case it's identical. > > 2. They have to keep this policy published until "last time the old > policy was > > published" + "old policy's max_age" > > Yes, but that's not actually policy removal. Clients will likely still > end up > collecting stats for reports, even if they later prove undeliverable or > there's > no address to send them to. > As I discussed, the only consideration here seems to be one if, "Are the costs of 'reporting' (i.e. stats collection, etc) sufficiently high to warrant the need for an explicit opt-out mechanism?" I don't personally think so, but I may be wrong here. > > Let's consider in comparison an implementation with a special "opt out" > mechanism > > (however it works). Would it avoid the above two knock-on effects, or be > easier > > to publish? > > It seems to me that "age=0" is simpler and more clear than "report". > Combined with > ultimate removal of the DNS TXT record the policy is eventually flushed > from caches. > Here and below in your email, it seems your main question is (to paraphrase), "When will senders know to stop caching a policy, even if it is a 'report only' policy?" In fact there are two different things to consider here: 1. When can the recipient stop publishing the "opt out" policy? 2. When can the sender stop caching the policy? The point I attempted to make in my previous email is that #1 is invariant, regardless of mechanism: in all cases, the recipient must publish the "opt out" signal until the max time at which the previous policy was published *plus* that policy's max_age has passed. (I believe this is obvious.) However, #2 is also mostly unchanged in most of these various designs: assuming any "opt out" indicator that uses the usual TXT "id" string as an indicator of presence, senders will want to cache the "id" seen in order to see if the "opt out" policy has been supplanted by an "opt in", if only to avoid repeated policy refreshes. (Of course senders could merely cache the last version seen for that domain and a null policy; they don't need to cache anything else for the sake of supporting opt-outs. And in fact, we could achieve the same security properties as exist now by purging the cache on opt-out and instead embedding one new boolean indicator in the TXT record, indicating that the new policy is an opt-out policy, to be fetched only by senders who have cached a non-opt-out policy. I trust the functioning of this approach is obvious, but regardless, it's needless complexity and I would rather not explain it if it's not. :) ) So the long and short of it is that one *cannot* design a system in which the recipient does not have to publish the "opt out" signal for this amount of time; I'm fairly sure that's an invariant. Contrarily, one *could* design a system in which senders do not have to cache anything at all for domains that have opted out, but, at least as far as I can see, only by modifying the TXT record format, which is not desirable to me. Two questions for you: 1. Is your main concern point 1 above (i.e. when can recipients stop publishing) or point 2 (i.e. how can we save cache space of cached "opt out" policies)? 2. If #2, can you propose with more detail how you suggest a different mechanism to work? Does it involve the TXT modification I describe above? Or is there a simpler way? > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- Re: [Uta] back to smtp-sts-04 Viktor Dukhovni
- Re: [Uta] back to smtp-sts-04 Benjamin Kaduk
- Re: [Uta] back to smtp-sts-04 Daniel Margolis
- Re: [Uta] smtp-sts-04 JSON James Cloos
- Re: [Uta] smtp-sts-04 JSON Daniel Margolis
- Re: [Uta] back to smtp-sts-04 Daniel Margolis
- Re: [Uta] smtp-sts-04 JSON Viktor Dukhovni
- Re: [Uta] smtp-sts-04 JSON Viktor Dukhovni
- Re: [Uta] smtp-sts-04 JSON Binu Ramakrishnan
- Re: [Uta] smtp-sts-04 JSON Viktor Dukhovni
- Re: [Uta] smtp-sts-04 JSON Binu Ramakrishnan
- Re: [Uta] smtp-sts-04 JSON Salz, Rich
- Re: [Uta] back to smtp-sts-04 Peter Gutmann
- Re: [Uta] STS policy removal Viktor Dukhovni
- Re: [Uta] smtp-sts-04 JSON Viktor Dukhovni
- Re: [Uta] STS policy removal Daniel Margolis
- [Uta] mtp-tlsrpt-04 review Jeremy Harris
- Re: [Uta] mtp-tlsrpt-04 review Viktor Dukhovni
- Re: [Uta] mtp-tlsrpt-04 review Jeremy Harris
- Re: [Uta] mtp-tlsrpt-04 review Viktor Dukhovni
- Re: [Uta] mtp-tlsrpt-04 review Brotman, Alexander
- Re: [Uta] mtp-tlsrpt-04 review Jeremy Harris
- Re: [Uta] back to smtp-sts-04 Viktor Dukhovni
- Re: [Uta] mtp-tlsrpt-04 review Brotman, Alexander