Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mta-sts-17: (with COMMENT)
Daniel Margolis <dmargolis@google.com> Thu, 10 May 2018 13:53 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E76712EAD8 for <uta@ietfa.amsl.com>; Thu, 10 May 2018 06:53:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kyU4Cg-cWNmO for <uta@ietfa.amsl.com>; Thu, 10 May 2018 06:53:28 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24FA212EAD9 for <uta@ietf.org>; Thu, 10 May 2018 06:53:26 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id e78-v6so3104185iod.0 for <uta@ietf.org>; Thu, 10 May 2018 06:53:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mj2jsBwaD4QJ1Ax0UMSKRsTkGx+zELsEAtpm6fCj6hU=; b=LPIdpRbTjKur8fzol1hxIQ0isyu7jJlp1Qcg4lQQTBL+GFU3cHUhUjmX+TM5nc5JHM ZDhUjQS0VeXtGBZY+SNDZZAIEry1xife9lQHQdaYnHxLxBLPsBLqeJgQgP18e6tYOLci c4bY3V/AwxV8kcEtJi/qclhtmqUmAcnX5a+NtdaavvYyPK08Bg6sITTzToMEfi4bTBM/ Y8n6Zqs4CvU2IK7BUzL/nHynZvPjII2jREC2699Qt4fofgAbuKJ5XV6wcUrvb4aiRXIK 8wZ/syTxJMCP2wa4l5gFR+Upoo2zBNa8H0R1hNP4DO8rCVVuUCBrkDsQQlwO/twDWr9a BbpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mj2jsBwaD4QJ1Ax0UMSKRsTkGx+zELsEAtpm6fCj6hU=; b=bYInL9cCh/sg0IvGQiJKvbZmbj1Gt7bdzdWr/2X3n3mgc+iDGWxklG8+GR3XcSn2J5 o0dOeFDDemNeCt3IiCH3ORhdZ4RAA01odufhGcjGIEt3WIKEEdev/xcCvPdI9DIvmZdX jI7m8bTWetMrZ7MXGTb9+9aZEWZghTc9Sq6XkdA0At4GrWYpbMEL7hD3iu6a2BWKBCnL 9HfyDHXxLF6WYNjNqAF/FYJQfzYqBfcbv0rRVGEkLYdPVTccM70ctPYAKJcJhcr4gOY1 0DNBxGGxf1Ne1ij0IpK8gZZT+cvR95MBlJb9I9W/JJ9j58d3LsLMBREuWLzL9ZiCfREc lTag==
X-Gm-Message-State: ALKqPwczxxsNo8LQFcQUpeRj+aU8Nzl7yFaRxouquY3orLINBzKEQ37K qRfiB2WmH/dSaxNic6b7LbBVbemfz4rvHvchr/BAxA==
X-Google-Smtp-Source: AB8JxZqNtJ6oCZJM84xsVJNE9TQJaHJd8xjmPKap6t2JM7atUI1/1MCP4FT1P+zqWqT6HeQXE6hdz/rJw42kZRJp6kA=
X-Received: by 2002:a6b:c741:: with SMTP id x62-v6mr1494714iof.97.1525960404942; Thu, 10 May 2018 06:53:24 -0700 (PDT)
MIME-Version: 1.0
References: <152591963999.10271.12550778138694053024.idtracker@ietfa.amsl.com>
In-Reply-To: <152591963999.10271.12550778138694053024.idtracker@ietfa.amsl.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Thu, 10 May 2018 15:53:05 +0200
Message-ID: <CANtKdUeZLyGtthwEUYjURbwjTZSG7ug-hPcnjFwP79y-P=4xsg@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: iesg@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta@ietf.org, uta-chairs@ietf.org, Leif Johansson <leifj@sunet.se>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ec350d056bda57dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/s0MZHapQTFEnUvdElo0axFiDaYM>
Subject: Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mta-sts-17: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 13:53:31 -0000
On Thu, May 10, 2018 at 4:34 AM Ben Campbell <ben@nostrum.com> wrote: > Ben Campbell has entered the following ballot position for > draft-ietf-uta-mta-sts-17: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I'm balloting "Yes" because I want to see this work published. But I have > a few > concerns: > > §3 seems to leave much of the interpretation of the TXT record as > "implication". It should be explicit. I'd like to see the specific steps > the > sender is supposed to follow (perhaps the flow in §5.1 could be expanded to > include the TXT query and interpretation? The specific reason we kept section 5 only about "application" (and not "fetch"). There is (I hope) a natural abstraction layer between the two. Perhaps instead we should add a similar "control flow" subsection in section 3 or 4, if we can figure out what should be in that subsection. Questions below: > For example, the idea that a non-existent record means no MTA-STS support > is > sort of buried in the description of multiple text records. Would it be > reasonable to say that the sender SHOULD NOT query for policy if the id > hasn't > changed since a previous query? > Just to be clear (though I think this is what you meant), a non-existent TXT record only means there's no new policy to fetch. It does not say that STS is not supported, exactly--if the sender has a previously cached and non-expired policy, the sender MUST apply that cached policy. In other words, policy fetch failure has no meaning with respect to whether the recipient domain has implemented STS, and what to do in this case depends on the state of the sending MTA (whether it has a previously fetched policy or not). So a statement like that might bring the clarity you want? What do you think? With respect to your last sentence, I'm afraid I don't follow this part. A sending MTA can certainly query for a new policy even if the TXT record's ID hasn't changed. I see no reason to--because a working system MUST NOT require senders to do this--and senders probably SHOULD NOT do this in order both to a) ensure people use the DNS signalling mechanism appropriately and b) to save traffic to the HTTPS endpoint--but it's an operational issue and not one of correctness per se. §3.3: > - "When fetching a new policy or updating a policy, the HTTPS endpoint MUST > present a X.509 certificate which is valid for the "mta-sts" I find this > confusing. Which endpoint is doing the fetching? Which one MUST present the > cert. Are we talking about this in the context of TLS or something else? Yes, this is in reference to the "policy host" (i.e. mta-sts.example.com"). The HTTPS client in this context is the sending MTA. I will try to add some clarity to that effect. > - Why > is checking for certificate revocation only a MAY? This is discussed a few other places on the working group, but in short, it seems to me the ecosystem is not exactly on the same page with respect to revocation. From my rather limited knowledge, OCSP Must-Staple is probably the only currently-viable option (in terms of having the security and functional properties we want), but is not widely supported in MTA land (e.g. Postfix does not support OCSP at all). If there's a meaningful (i.e. in our threat model) and widely implemented/applicable approach here, we should use it, but I don't think there is. (For HTTPS, revocation is maybe more viable, but absent revocation support on the SMTP TLS channel it doesn't really help to require it in one place.) > - Does the term "sender" > refer to the SMTP sender, or something else? > Yes, the SMTP sender. I can clarify this--can you help me by pointing out the places this stands out as confusing language? Or should it just be included in the Terminology section? > > §4.1: Why is checking for certificate revocation only a MAY? > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Ben Campbell's Yes on draft-ietf-uta-mta-st… Ben Campbell
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Daniel Margolis
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Viktor Dukhovni
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Daniel Margolis
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Viktor Dukhovni
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Daniel Margolis
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Viktor Dukhovni
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Daniel Margolis
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Viktor Dukhovni
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Ben Campbell
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Alexey Melnikov
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Daniel Margolis
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Daniel Margolis
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Viktor Dukhovni
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Viktor Dukhovni
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Daniel Margolis
- Re: [Uta] Ben Campbell's Yes on draft-ietf-uta-mt… Viktor Dukhovni