IETF Logo Mail Archive

Re: [Uta] Benjamin Kaduk's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 27 February 2019 19:35 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE0D81310D9; Wed, 27 Feb 2019 11:35:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNi5Vs1cOo1c; Wed, 27 Feb 2019 11:35:55 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800099.outbound.protection.outlook.com [40.107.80.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 907B21310AF; Wed, 27 Feb 2019 11:35:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P1xT1Wc6rWoub15hfxRrSXboThmAgScbUCQSBQBRFNg=; b=fpY0y2QQoludqnT8zlzQ9u/0cGRBhYL7xSZstoTETYtXc82vUnapE3qVNpFXvZwcvVbsjiVn4uT/kAFs20hyj6ql21tS5s7t01K3H0/imQE4UBdIriDpip8AKoqSOO0XT16INzmOfiu8C56UOE7Dx9NkarFs7sRj3ryy6k1dVMA=
Received: from BYAPR01CA0016.prod.exchangelabs.com (2603:10b6:a02:80::29) by BYAPR01MB5173.prod.exchangelabs.com (2603:10b6:a03:7f::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.21; Wed, 27 Feb 2019 19:35:51 +0000
Received: from CO1NAM03FT032.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::203) by BYAPR01CA0016.outlook.office365.com (2603:10b6:a02:80::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.18 via Frontend Transport; Wed, 27 Feb 2019 19:35:50 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by CO1NAM03FT032.mail.protection.outlook.com (10.152.80.173) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Wed, 27 Feb 2019 19:35:48 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x1RJZgKt030684 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Feb 2019 14:35:44 -0500
Date: Wed, 27 Feb 2019 13:35:42 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: The IESG <iesg@ietf.org>, uta@ietf.org, uta-chairs@ietf.org, draft-ietf-uta-smtp-require-tls@ietf.org
Message-ID: <20190227193541.GR53396@kduck.mit.edu>
References: <155072491254.20210.15187912705241578950.idtracker@ietfa.amsl.com> <290706DA-2C5E-4255-8BB7-C6951B385CD6@dukhovni.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <290706DA-2C5E-4255-8BB7-C6951B385CD6@dukhovni.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(346002)(376002)(136003)(39860400002)(396003)(2980300002)(199004)(189003)(15404003)(14444005)(1076003)(53416004)(106002)(53546011)(186003)(47776003)(110136005)(229853002)(5660300002)(8936002)(356004)(305945005)(86362001)(8676002)(58126008)(2201001)(246002)(106466001)(478600001)(97756001)(26826003)(956004)(23726003)(450100002)(50466002)(88552002)(104016004)(33656002)(126002)(476003)(426003)(11346002)(446003)(2906002)(486006)(316002)(7696005)(786003)(46406003)(76176011)(26005)(6246003)(16586007)(55016002)(75432002)(336012)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR01MB5173; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7a606af7-ffb1-4183-ffe6-08d69ceac783
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:BYAPR01MB5173;
X-MS-TrafficTypeDiagnostic: BYAPR01MB5173:
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB5173; 20:sm8byeF4pLlh1kMy0zfbD/jXUNcZuxNqGM3fOXkJRsIt3Flo6BHLFW4yQ62Zzvw29OCP+W7Skfep3YEK2rvaxDHaNEokbzrD/Yv2vlOxGKvUNCyvIgLYyKLvvl1/w96YNBAAUahyuCf79MFATZQQ1dxsXc6R1mBlvf6WfCa/J0sJOxX9UP9KAebVBfE7XGNffYTMDyWLqjzKT8MW+eIsO3G0WlMZiHn/t7swW3i19L4mPWefaKlVVHyRfjrTX9O0ejvIm0MQzhewy1tpi4h84hyRL18aHChyVczjZYsyDO4Vee1VV+rQ8H+LlVgtVNOAur3vlbOjIasclih4Q94b2Ocpx6I7DMyIFfwU9xKekdomE4w2WQ34DjIXACSNwDQuA4B4liuq/mmJ0RsNXOYpXV20CYmK1ec/ljWuJbXVudLodlcGdjEKH9wTMrfk9SnIfvNN2HWgUXOVA7LXeITgLCg4ZeEC1DkA7wHt8v8wutKuVCRVSRdwQumFNoWrNApK//uIkQs+0W2TkL+c18rOlM19G1yBAz5F5sJYoakuW2c8DWE0xuuEFr41FZpcrPaz+YRsFOdobeHNr7LpJ1tfKmg5argKblNLjaXhUVDIuBw=
X-Microsoft-Antispam-PRVS: <BYAPR01MB51738A832707A24C27341023A0740@BYAPR01MB5173.prod.exchangelabs.com>
X-Forefront-PRVS: 0961DF5286
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB5173; 23:az2BWEPujqPAlg3K7Jtzk8UJ7gXZQ3WyXb6YYSY3zoLRAXxENRx/UsiN7gWSkH9R93+TVCSi/kMX0CBKTrabwH+x5PfSkZfwDOL5e8jNKS/WZE0XTi1iiHHqM7EanaaB+aZiFSDVHofSe/EqxRNsO6PQitaEec5/K3Qd3lFiIPEmLwmSzbCaj25t5Cjg+GZdepYZTpUv3SXnWZ0DUOaA3XHz6uHhHjUHuB3NlbqO/lCsRZJTbmEXsZ0atetPGI6ZFtwurB1OEXW/BQCNNMSuam6NzjOxtMl5+ewceufC4g8BNSqWvaYpMnMaKaAenTGM9vU6BhLK3FL4aDh7UCq6gUhD5WRIVj/muN6AZjjv2hd99AFjfs85FxycpuowtFF2UjqUVL496OnZBzKW0kep1mRuMinlvdR/9gMjxtlvqGq115rQzjAbRC2yfy7AVtLnDLW0IKTRbHrZa6UmvZZmMOTBb2w0+roziR4lRG4wV1J2armfmRJQdiFUsm2WbLpk7FpJFEP+UbKz5v5iN3VK/vjluZBgrVImUXA5JhkciNWaNnT77G8ck0LRa9JrXuEySq3YFWEt9fVz+XAc7y2GpzUVNQwBtS3Yw2wL8Sz+AWZBcjNqRPS3bR29JJ5xtAJMmIIZrEDlkj4azMsvnfuxwHjKsmfrELue+t+VyuYK+SKkfNWOdWCQHAkJIS2exKOsQqpToQDXLYtATlf+pGFz/LjfKKJRSy9XXM1l7i/2/4QkJY1RwidrCxJK4KATjgG7Y75aoul49XiYan3SO4SLcysXILJgfhlmwSft85EByMtE7CUKJKjzUXsM0X8EUo26dzn7vRe/euZi3EcieldlFjAbsgGRwFHjKrcVBwJB5tH4OCAccX6OlzWoErRtTGr1v8/ToH4MS7rnDnqmgaNuJ/UHf0MyVDTnKIHx8/VbTc/axxyEvrXdQVxGSMDHVWE/3Eqk2szyMBd9GlMGb8w6mhXGaGItH4ihsbnQdr0tsnZlpmZgh4/G3qPJVovBHp3avzBoa7J1dBKfFnsgG9gqVBgy5bsYEdHhZ+lc9mwnQiGIdudoATc0QEI/+uE6rhWH75sgNe7QsIvE4qRTn05N7FgNHXtZmyUX9WiU66jyUxfgTFEMd43UMU7WEF7vvGzyW7/3DhA4WUllZKSiScNQsEgk3Z+hVb+nHPgGT/NFp5d41giJr+I2IjXZIT+n1Tp6q1bvmMDu8vJGBiR0IdRsIWI/jphq7r9dUmy7L9GkhkE=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: H97hGT0zcs/wltE/4fG7o5f+GpXfTmzUw0Q9GrxTN4S8snbALe8BUgBpt0pkvExPq7wUgursiTFirxrGKYsS0VwHJoi0Ol+oBLRBpkF9pcFncJoyAK758kbJ/hWrPYmjR8LIfw3dXn7DCfeBS8qsZn7eRJuwJNRxT0lwDTwPECONZowuk23oyl+XQwfzXB7HGFrqFaMg9hPw9sAFuRJgqiYirxtJ4oRICAMoQ0/SzdPi85FLaRDvBqqb2eF1tLwPtloFVHnlA9P36NBvh/Mb5sOVsZ7z5n3bOepAq+px8B/75obQgQyroGspFOP3dr+u4NYnvqDvzs7AdHDR+Nwa3CX0YZ8uKs9I5cNaVgnvOJyZ8kUv22Z9b3pEAdOLRZq++P+8/9hXCTSLVqlzJFGwqSf0YjfguEg/Rf2w2u+hTjE=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Feb 2019 19:35:48.3695 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7a606af7-ffb1-4183-ffe6-08d69ceac783
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB5173
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/sMIJOZeWuqNeoSgEXdsy9uwiWic>
Subject: Re: [Uta] Benjamin Kaduk's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 19:35:59 -0000

Hi Viktor,

Sorry for the slow response.  It took me a while to mull over why exactly
this position felt incorrect to me.

On Thu, Feb 21, 2019 at 12:54:17AM -0500, Viktor Dukhovni wrote:
> > On Feb 20, 2019, at 11:55 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> > 
> > While I understand that there can be cases where it is desired to ignore
> > recipient-domain indications to use TLS, such as to report problems with
> > the TLS capabilities of those domains, I have strong qualms about
> > describing this protocol as an "override" for DANE and MTA-STS, or that
> > such recipient-domain signals should be "ignored".  In effect, by
> > attempting to do so, this document is fundamentally modifying the
> > protocol semantics for (SMTP) DANE and MTA-STS, something that can only
> > properly be done by clearly calling out the behavior change and an
> > Updates: relationship with the documents whose semantics are being
> > modified.  Alternately, it could also be reasonable to remove claims of
> > "override" or "ignore" and to leave the semantics of the header field as
> > being that the sender requests one behavior, and the MTA can balance the
> > requests of the sender and recipient at their own discretion. This is
> > still not a great option, though, as it would seem to put multiple IETF
> > proposed standards at odds with each other.
> 
> My take is rather different.  I see "REQUIRETLS = no" as an enabler of
> adoption for DANE and MTA-STS, and as the primary feature of this draft
> that will have a more significant positive security impact (by paving
> the way to adoption of more secure transport by default) than the
> "REQUIRETLS = yes" option, which likely won't see much use.

It seems like implicit in this stance is a belief that DANE and/or MTA-STS
as currently specified are flawed, in that they do not have a reasonable
path to substantial deployment (in bounded time).  I'm inclined to believe
you about that; you have a lot of real-world experience in these areas and
also have spent a lot of time working on finding actual deployment paths!
But what I have trouble with is that the response to "DANE/MTA-STS are
flawed" is not "make an extension to them that fixes them" but rather "make
a new thing that says to ignore parts of them", with no pointer from the
DANE or MTA-STS ecosystem to the new thing, to let people know what they
should be doing.

> There's no conflict with DANE and MTA-STS here, neither trumps the
> senders local policy, whether set by the administrator or delegated
> by the administrator to the user.

Local policy will always be a trump card; sure.  It is free to ignore any
and all RFCs.  But we still have some responsibility for what guidance we
provide as input into local policy, and having one RFC say "ignore that
other RFC" when both are active proposed standard documents (and not in an
Updates: relationship) doesn't look very good.

> While we can hope that operational excellence will make delivery problems
> due to botched MTA-STS or DANE rare, there will surely be temporary outages
> here and there, and giving users a mechanism to work around them is better
> than disabling transport security for all users at the first whiff of a
> problem, defeating much of the protection that DANE and MTA-STS would
> enable.
> 
> Providers that support a user override, can be much more confident that
> enabling recipient security policy will be something their users can
> work with, because on a delivery failure, the user can resend with
> "REQUIRETLS = no" if the message requires little privacy protection,
> but is time sensitive.  The user knows best which messages are OK to
> resend without authentication (possibly in the clear).

It sounds like we could frame this as a DANE/MTA-STS "escape hatch",
wherein the sender knows that the recipient requested TLS but the sender
decides to send without TLS anyway.  But this still seems like it would
need some concrete tie-in to the base DANE/MTA-STS specs.

> Companies where there are regulatory constraints to not let users
> override transport security policy (HIPAA, ...) can elect to not support
> "REQUIRETLS = no" and even strip the header to reduce the likelihood
> of it taking effect downstream.

Sure.

-Benjamin

v2.23.0 | Report a Bug | By Email