Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
Dave Cridland <dave@cridland.net> Thu, 12 April 2018 09:17 UTC
Return-Path: <dave@cridland.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0687D126C3D for <uta@ietfa.amsl.com>; Thu, 12 Apr 2018 02:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOjNDj5Pgoa1 for <uta@ietfa.amsl.com>; Thu, 12 Apr 2018 02:17:08 -0700 (PDT)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB3F4124F57 for <uta@ietf.org>; Thu, 12 Apr 2018 02:17:07 -0700 (PDT)
Received: by mail-lf0-x235.google.com with SMTP id o102-v6so6624406lfg.8 for <uta@ietf.org>; Thu, 12 Apr 2018 02:17:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=C782+Y+Y+cm0tAG+wuDmimOCUYaespP1SJtXNi1dcJA=; b=Syx+JvSmiNN1ES/CXAjNvPcJDwDqq5rpA76kZpIwLPro70Q8vGbavfxaQ7j4Dlq2Jp IR1SIpVWmJHVEfFTK9vJpMK72/r+jIq6b8XIdGu+3nT/k9j6wl8Ih5NulT0rp09+pkxM LDkRS7kdvi9M1MMLG2yu8lqLTojvfCSkHikh4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=C782+Y+Y+cm0tAG+wuDmimOCUYaespP1SJtXNi1dcJA=; b=MWKHHm1BATBXH1RHGugz/78tJsTOJysCGwaU6qwIs1SrMcqAGu0Abpf8qk9//l4Sa9 B+O63YnTZatnkE34+NYETlCLsCHeYbUDsiqds34SqH/sUosI+8lrWHCuP/Ems4LYWICL dyUqFqzMdxzCI397jqKsQvxwR97rlXdcwdYxGFhCXR4odFoiiYzWp+S3c7iaPOhuYGXA lLql76uX7dA0DJsu46txmy3UBtDGAcE6KtAta6jlhLJ/H02GTMxTeIcifHvLhLU4qYZQ 1mLXwtjb/fD4OxCtLb4G7vwr9sLf1EPWgcjX4xAKjWGR5L1OFsjxpO4syqNWHwJfTgEn ZpiA==
X-Gm-Message-State: ALQs6tClGEWVV5U+ZSQtu/KlN+Qzc6AjEq9FG9KpkLHdErA3OGc4udFU jTrbKpG0+SG3chQvTmze+7Ouoz7ltL6kgQLJ/93+Vw==
X-Google-Smtp-Source: AIpwx48IC2k41TQDzrUA0BItqmbHMnfBhNDkt0m50tnbLXmUiQPAGmui8UIoJfq66KpxCxmPaM+87AG0fz7i/fvQOy8=
X-Received: by 10.46.153.13 with SMTP id v13mr76674lji.145.1523524626027; Thu, 12 Apr 2018 02:17:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.179.71.202 with HTTP; Thu, 12 Apr 2018 02:17:05 -0700 (PDT)
In-Reply-To: <01QR80776HKE000051@mauve.mrochek.com>
References: <CAKHUCzwes5vHjBSDqYXkvGRCGPeSPnqNgsJ2J_tDzF2FG+RuMg@mail.gmail.com> <01QR7KDO3D96000051@mauve.mrochek.com> <CAKHUCzzLWNQqPbgh7iGraJqviFuSP_A4i2-qKKfNS5fypKbZzQ@mail.gmail.com> <01QR80776HKE000051@mauve.mrochek.com>
From: Dave Cridland <dave@cridland.net>
Date: Thu, 12 Apr 2018 10:17:05 +0100
Message-ID: <CAKHUCzxdfUsKJ7frRgTj_wPp3rwNG08+ufekN5pmg9NR6KnHiw@mail.gmail.com>
To: Ned Freed <ned.freed@mrochek.com>
Cc: "ietf@ietf.org Discussion" <ietf@ietf.org>, uta@ietf.org
Content-Type: multipart/alternative; boundary="883d24f22d7c242f200569a33899"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/uZvc8WMGzLXjqpMoJ2vEKYAlo1s>
Subject: Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 09:17:11 -0000
On 12 April 2018 at 00:49, Ned Freed <ned.freed@mrochek.com> wrote: > > > This workload is what I consider to be the antithesis of "intuitively > > simpler". > > And once again I'm afraid what your intution is telling you is exactly the > opposite of my experience. For me implementing this using a separate query > server actually makes things much easier, not harder, in part because I'm > not > constrained to code things in C/C++, which is what the SMTP client is > coded in. > > You might want to sit down and try mocking this up in, say, node.js. It may > change your mind about the approach. > > And the client part is going to be maybe 50 lines of C code. Code of a sort > I've written many, many, many times before. Hardly difficult. > > That's all well and good, but people are saying that DANE is simple enough to implement too. > > > > c) Both/either of the above. > > > > > > > I assume the logic behind allowing a wildcard-to-wildcard match is to > > > allow > > > > a Google user to simply specify ".googlemail.com" and ".l.google.com" > as > > > > their MX identity patterns; however it feels as though Google could > > > simply > > > > use a known name within the certificate for all their receiving MTAs, > > > > irrespective of the DNS records involved. This, of course, > presupposes > > > that > > > > the administrator of the mail domain somehow does not know the > precise > > > > names of the MTAs used in their own DNS records. > > > > > > > I further assume the logic in mandating matches against dNSName SANs > is > > > > because these are readily available; however sRVName SANs, by > restricting > > > > their use to a particular service, have the advantage that customers > > > giving > > > > these to their service provider might be deemed more acceptable. > > > > > > A comparable effect can be achieved by using a subdomain root reserved > for > > > email server use. > > > > > > So it's a choice between an easily implemented naming convention and a > > > bunch > > > of PKIX esoterica. This does not strike me as a difficult choice. > > > > > > > > Well, being *able* to use sRVName would be nice at least. The > specification > > as written prevents it, which seems unfortunate. > > I have to say I like the simplicity of the current specification, and I > don't > want to see added complexity in this regard without a compelling reason for > adding it. > > OK, as long as you understand this embeds a hack into PKIX. > > > > o MTA-STS Policy: A commitment by the Policy Domain to support > PKIX > > > > [RFC5280] authenticated TLS for the specified MX hosts. > > > > > > > Impressively, by my reading, the commitment is for the Policy Domain > to > > > > support PKIX for all SMTP; and not just for specified hosts. > > > > > > Of course that's the commitment. How could it be otherwise? > > > > > > Then that needs rephrasing, because I didn't see any "Of course" about > it. > > > A commitment by the Policy Domain to support PKIX [RFC 5280] > authenticated > > TLS, using reference identifiers as listed. > > > (I'm trying to guess what was meant by "for the specified MX hosts".) > > The entire point of the mechanism is to say that the policy domain supports > and wants SSL/TLS transfers and that the servers have validated certs > with the specified names. So I really don't understand what you're getting > at here. > It says "MX host", which, as near as I can guess, is used elsewhere to mean a host used as a Mail Exchanger, and not either of the "MX Hostname" or the "Reference Identifier". Dave.
- [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> … The IESG
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… ned+uta
- [Uta] Digression on DANE for MTAs implementation … Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Dave Cridland
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Viktor Dukhovni
- Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.t… Daniel Margolis