IETF Logo Mail Archive

Re: [Uta] Updated drafts for MTA-STS & TLSRPT

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 February 2017 21:43 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44FA5129513 for <uta@ietfa.amsl.com>; Fri, 24 Feb 2017 13:43:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s2aun_xnAAB8 for <uta@ietfa.amsl.com>; Fri, 24 Feb 2017 13:43:26 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D005A1294F8 for <uta@ietf.org>; Fri, 24 Feb 2017 13:43:25 -0800 (PST)
Received: from [172.31.30.83] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id A93EC7A330A for <uta@ietf.org>; Fri, 24 Feb 2017 21:43:24 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CA+E3Fw21syX8a0SF1xwaG9CfoLq6juOFuwnLE9d4Z1GeXbhi_g@mail.gmail.com>
Date: Fri, 24 Feb 2017 16:43:23 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <F2DDF925-C2F1-4898-AA91-51FBC1CFE0AE@dukhovni.org>
References: <a0701ba14a704ac08f2b099a0576e22e@COPDCEX19.cable.comcast.com> <CA+E3Fw2=3QCeeB2hOjzKERwRaF6p_G9z6Gm9GA4Yz2qE0KBhRA@mail.gmail.com> <CANtKdUfO5Onw=_c0kPfAB7HDuh+R4Q-svCQgjdS6MZbSh+ksAg@mail.gmail.com> <905199AC-51EE-42E9-AB54-68C99578A03E@dukhovni.org> <CANtKdUeiUrvzYmVW3_pEojtOzwG8nMdx8H8OwGK=JA0GaefaNQ@mail.gmail.com> <94042B6B-F408-4C53-A831-F0912F117D64@dukhovni.org> <CANtKdUcDQ6cEudUc2-uMmG3z2uZTYYCg1c=q5UC2OrFUBDJg5g@mail.gmail.com> <CA+E3Fw21syX8a0SF1xwaG9CfoLq6juOFuwnLE9d4Z1GeXbhi_g@mail.gmail.com>
To: uta@ietf.org
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/sOxxo0a3JG53e5gLlSi1V1Xuyb0>
Subject: Re: [Uta] Updated drafts for MTA-STS & TLSRPT
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 21:43:27 -0000

> On Feb 24, 2017, at 3:33 PM, David Illsley <davidillsley@gmail.com> wrote:
> 
> I think I agree with where you've got to, but I do want to clarify
> that I think it's important that a shorter refresh period doesn't
> shorten the policy expiry - we want a 6 month policy to be cached
> and relied on for 6 months, even if, for most of that 6 months an
> attacker is blocking a more frequent DNS policy check.

That's a given, modulo local policy on the sending side that might
set a lower ceiling on the length of time for which policies are
allowed be cached.  Remote systems should not be able to force
cache storage indefinitely.  The effective cache lifetime will be
the lower of the remotely requested lifetime and the local policy
ceiling.

Refresh failure with periodic probing does not invalidate already
cached unexpired data.

If you feel this needs to be said explicitly, that's OK.  It seemed
pretty obvious to me.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email