IETF Logo Mail Archive

Re: [Uta] Benjamin Kaduk's Discuss on draft-ietf-uta-smtp-require-tls-08: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 31 July 2019 23:03 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A29F120074; Wed, 31 Jul 2019 16:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZaPC5umv0RjJ; Wed, 31 Jul 2019 16:02:57 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 821AC120073; Wed, 31 Jul 2019 16:02:57 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x6VN2rPA022325 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 31 Jul 2019 19:02:55 -0400
Date: Wed, 31 Jul 2019 18:02:52 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: uta@ietf.org, The IESG <iesg@ietf.org>
Message-ID: <20190731230252.GM1006@kduck.mit.edu>
References: <156339110885.25873.1576291155471550816.idtracker@ietfa.amsl.com> <c2469336-c6ca-37e1-2a5a-12a9e3a3fec4@bluepopcorn.net> <20190731000222.GV47715@kduck.mit.edu> <20190731011940.GA24255@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190731011940.GA24255@straasha.imrryr.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/sqjaqgtvJW7JDt6FL2UqLpvDjek>
Subject: Re: [Uta] Benjamin Kaduk's Discuss on draft-ietf-uta-smtp-require-tls-08: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 23:03:01 -0000

On Tue, Jul 30, 2019 at 09:19:40PM -0400, Viktor Dukhovni wrote:
> On Tue, Jul 30, 2019 at 07:02:23PM -0500, Benjamin Kaduk wrote:
> 
> > > This work was inspired by a paper, "Neither Snow Nor Rain Nor MITM ...An
> > > Empirical Analysis of Email Delivery Security"
> > > http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf that there was a
> > > presentation about at an IETF meeting a few years ago (can't find it on
> > > datatracker currently). If you think the draft would benefit from
> > > additional motivation, I could mention this paper and add an informative
> > > reference to it.
> > 
> > This makes it sound like your stance is roughly, "we want to make TLS on by
> > default but have to deal with deployed reality in order to get there",
> > which would seem to have the consequence that "MTAs implementing
> > require-TLS should default to requiring TLS and only request no-TLS in
> > special cases".  I would support such a position, and in that case would be
> > less concerned about the apparent lack of a "don't care" option, since
> > there is less of a decision burden when there is a clear default behavior.
> 
> I don't quite understand this comment. :-(  Typically, the "Require-TLS"

Probably because it has no sensible interpretation; sorry about that :(

I think that the only change needed is s/MTA/MUA/, though.

> signal originates at the submitting MUA, not an MTA.  MTAs may
> *support* "Require-TLS", but they generally won't originate the
> policy for messages in transit.
> 
> Some MSAs (or outbound edge MTAs) may add "Require-TLS" to messages
> in transit for "business-partner" destinations where there's a
> reasonable prior expectation that authenticated TLS is available
> along the entire delivery path.  But this will be the exception,
> rather than the rule.
> 
> Similar considerations apply even more strongly to explicit "don't
> care", which should not be added by a transit MTA, and instead
> should result from a user's choice to request delivery even in the
> face of degraded transport security.
> 
> So I don't know what to make of "MTAs implementing require-TLS
> should default to requiring TLS and only request no-TLS in special
> cases".
> 
> Neither requiring TLS (end-to-end in the sense of the present draft)
> nor requesting "no-TLS" (really requesting delivery despite lack
> of or failure of authenticated TLS en-route) is somenthing that the
> MTA would normally choose.  Rather the MTA, in support of the
> present draft, would implement the policy conveyed in the message
> envelope (require) or headers (don't care).
> 
> Sorry to be so dense, perhaps you can expand your point to make it
> more clear...

Just my tired brain being sloppy about MTA vs. MUA (and not even reading
the document properly, either).

Thank you for expending the time to write out the explanation above; I
think probably we have shed enough electrons on this topic, should take
Jim's proposed new text, and move on.

-Ben

v2.23.0 | Report a Bug | By Email