Re: [Uta] Comments on draft-ietf-uta-mta-sts-03
Daniel Margolis <dmargolis@google.com> Tue, 28 March 2017 16:27 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D50212944B for <uta@ietfa.amsl.com>; Tue, 28 Mar 2017 09:27:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9akMullXeKAB for <uta@ietfa.amsl.com>; Tue, 28 Mar 2017 09:27:01 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D2E912945F for <uta@ietf.org>; Tue, 28 Mar 2017 09:26:57 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id y18so119645808itc.0 for <uta@ietf.org>; Tue, 28 Mar 2017 09:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uOOMJS7fjKnJMKT807Uf27ZzgvbB/3ocuv12k+lx8w8=; b=mpzMvqqkLbr2IoVbYJQyy3A3bQBMTOQDxtAmh03YS3cZC/BEVy4YlHDI7kUhg0in+c optXVBecLZw9mbL/3miGVJeb42WS5RPtDeLOlmF1cY3uGnOp9r0lc8KeuWv4sSlYIgh8 wWbouyLan7rtlXFtwgf3REyfQuR/21eSCZlbMUrqIVJ9jk3oGZ2X4102QyfaqdrCXW+2 PBiOdDz2IKw4qn4O0mLqEebYZGY/5x9dzKSXKUY6EPKGEqy0loglksUCWepy9PqkvDXb YPitV6EUN5Bf+eLVjiu2+P4TpPcADFcNjjKuF6KnDeYe2AXKNls18ZLqcRzyxa5WyuqN cF7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uOOMJS7fjKnJMKT807Uf27ZzgvbB/3ocuv12k+lx8w8=; b=Oi6VVBulTi0Pjf/sHlxmjc0W8ECxvmECQe3yrNN3CA9Wl00ZO5f4L4BPcAzonRRcwJ xEBDDub/vav264pqC20dcQ7dKlT9U5tmsRo9zGs/Mycs3qr4FwBtnY9vlHICCUZyHTws Z9tpqBQevtixL6/Dzjom2lgLThdHK7HtUVpkUvwJfkYrUFitNsene3P2nf1A6Kzb6ORl zmhOMl7Ls/ofFYj8U0xx7Y++lacsTS7p59GHViuRgxSFX07W0GBGXGQ2wXU7H0rMAwBx jtWUs4DlIPWbPui1XT1KW6jvyd0HycmpcDz43UpD6sNjsp9rxFr3nlYvTk7EYbPN6rEz gRxg==
X-Gm-Message-State: AFeK/H00qtz3Rr1fJ+MPzQb2NAlsBvkNtJmDvDl2zAo2/5t0Z7b9LaZ+F3lu1uqu2802RWjRSYLEAV+R5wMBFYo1
X-Received: by 10.36.53.210 with SMTP id k201mr15255875ita.21.1490718415848; Tue, 28 Mar 2017 09:26:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.39.215 with HTTP; Tue, 28 Mar 2017 09:26:54 -0700 (PDT)
In-Reply-To: <8a9cd559-d27f-c245-bfb4-2bc2ecea6ea1@diennea.com>
References: <d42e535b43f14fc68b9b3e22cdff2e51@EXC01-Arezzo.diennea.lan> <BF2CE255-261C-4006-B8C9-9D9518EF258F@dukhovni.org> <CANtKdUffuLwo--4KY7XL3NsZanUcjat1MUmZF7-H_UYBergdSA@mail.gmail.com> <8a9cd559-d27f-c245-bfb4-2bc2ecea6ea1@diennea.com>
From: Daniel Margolis <dmargolis@google.com>
Date: Tue, 28 Mar 2017 18:26:54 +0200
Message-ID: <CANtKdUd35v_nKgx76R0y7VgCNw-QVM=mNGS7SaDaVFN2fFAwWg@mail.gmail.com>
To: Federico Santandrea <federico.santandrea@diennea.com>
Cc: uta@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114a8ac4ae702d054bcced16"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/szMM23Ypd7htb6GAdNwyg69sC3A>
Subject: Re: [Uta] Comments on draft-ietf-uta-mta-sts-03
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 16:27:05 -0000
Of course a smart attacker who can MITM insecure DNS can spoof reports (and optionally MITM the DKIM lookup to make the reports look valid). So it's sort of turtles all th way down, no? On Tue, Mar 28, 2017 at 12:38 PM, Federico Santandrea < federico.santandrea@diennea.com> wrote: > On 27/03/2017 13:41, Daniel Margolis wrote: > >> Anyway, I'm very open to suggestions on how to make this more >> transparent within the scope of TLSRPT, but I don't love the idea of >> adding policy complexity by letting recipients specify what to do in >> this scenario. >> > > To allow the receiving domain owner to spot abnormal situations without > complicating the report, we could add semantics to the date-range. > > The draft says: > > o "date-time": The date-time indicates the start- and end-times for > the report range. It is provided as a string formatted according > to Section 5.6, "Internet Date/Time Format", of [RFC3339]. The > report should be for a full UTC day, 0000-2400. > > If we replace that with something along the lines of: > > o "date-time": The date-time indicates the start- and end-times for > the report range. It is provided as a string formatted according > to Section 5.6, "Internet Date/Time Format", of [RFC3339]. > "start-datetime" should be 0000 UTC of the relevant day or the > first time a policy was discovered, whichever comes last. > "end-datetime" should be 2400 UTC of the relevant day or the > time the last cached policy did expire, whichever comes first. > > Then one would normally see reports for one whole day, except when one > first publishes a policy and in abnormal situations where a policy > has been allowed to expire with no new one available. > > In that case it will be clear that for some part of the day no policy > was considered, which can be expected (if the domain doesn't publish a > policy anymore) or unexpected (network problems/attacks on the sending > MTA or, if the problem is widespread across senders, possible > misconfiguration of denial of service on records or endpoints). > > If in the same day a policy is discovered again after a previous one > has expired, then we would have more than one report for that day: > for instance, one from 0000 to the time the policy had expired, and > another one from the time a new policy had been discovered to 2400. > So the gap during which no policy applied would be evident. > > -- > Federico > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] Comments on draft-ietf-uta-mta-sts-03 Federico Santandrea - Diennea
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Viktor Dukhovni
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Daniel Margolis
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Jim Fenton
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Viktor Dukhovni
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Daniel Margolis
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Federico Santandrea
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Federico Santandrea
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Daniel Margolis
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Daniel Margolis
- Re: [Uta] Comments on draft-ietf-uta-mta-sts-03 Viktor Dukhovni