IETF Logo Mail Archive

Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard

Dave Cridland <dave@cridland.net> Thu, 12 April 2018 09:17 UTC

Return-Path: <dave@cridland.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0687D126C3D for <uta@ietfa.amsl.com>; Thu, 12 Apr 2018 02:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOjNDj5Pgoa1 for <uta@ietfa.amsl.com>; Thu, 12 Apr 2018 02:17:08 -0700 (PDT)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB3F4124F57 for <uta@ietf.org>; Thu, 12 Apr 2018 02:17:07 -0700 (PDT)
Received: by mail-lf0-x235.google.com with SMTP id o102-v6so6624406lfg.8 for <uta@ietf.org>; Thu, 12 Apr 2018 02:17:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=C782+Y+Y+cm0tAG+wuDmimOCUYaespP1SJtXNi1dcJA=; b=Syx+JvSmiNN1ES/CXAjNvPcJDwDqq5rpA76kZpIwLPro70Q8vGbavfxaQ7j4Dlq2Jp IR1SIpVWmJHVEfFTK9vJpMK72/r+jIq6b8XIdGu+3nT/k9j6wl8Ih5NulT0rp09+pkxM LDkRS7kdvi9M1MMLG2yu8lqLTojvfCSkHikh4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=C782+Y+Y+cm0tAG+wuDmimOCUYaespP1SJtXNi1dcJA=; b=MWKHHm1BATBXH1RHGugz/78tJsTOJysCGwaU6qwIs1SrMcqAGu0Abpf8qk9//l4Sa9 B+O63YnTZatnkE34+NYETlCLsCHeYbUDsiqds34SqH/sUosI+8lrWHCuP/Ems4LYWICL dyUqFqzMdxzCI397jqKsQvxwR97rlXdcwdYxGFhCXR4odFoiiYzWp+S3c7iaPOhuYGXA lLql76uX7dA0DJsu46txmy3UBtDGAcE6KtAta6jlhLJ/H02GTMxTeIcifHvLhLU4qYZQ 1mLXwtjb/fD4OxCtLb4G7vwr9sLf1EPWgcjX4xAKjWGR5L1OFsjxpO4syqNWHwJfTgEn ZpiA==
X-Gm-Message-State: ALQs6tClGEWVV5U+ZSQtu/KlN+Qzc6AjEq9FG9KpkLHdErA3OGc4udFU jTrbKpG0+SG3chQvTmze+7Ouoz7ltL6kgQLJ/93+Vw==
X-Google-Smtp-Source: AIpwx48IC2k41TQDzrUA0BItqmbHMnfBhNDkt0m50tnbLXmUiQPAGmui8UIoJfq66KpxCxmPaM+87AG0fz7i/fvQOy8=
X-Received: by 10.46.153.13 with SMTP id v13mr76674lji.145.1523524626027; Thu, 12 Apr 2018 02:17:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.179.71.202 with HTTP; Thu, 12 Apr 2018 02:17:05 -0700 (PDT)
In-Reply-To: <01QR80776HKE000051@mauve.mrochek.com>
References: <CAKHUCzwes5vHjBSDqYXkvGRCGPeSPnqNgsJ2J_tDzF2FG+RuMg@mail.gmail.com> <01QR7KDO3D96000051@mauve.mrochek.com> <CAKHUCzzLWNQqPbgh7iGraJqviFuSP_A4i2-qKKfNS5fypKbZzQ@mail.gmail.com> <01QR80776HKE000051@mauve.mrochek.com>
From: Dave Cridland <dave@cridland.net>
Date: Thu, 12 Apr 2018 10:17:05 +0100
Message-ID: <CAKHUCzxdfUsKJ7frRgTj_wPp3rwNG08+ufekN5pmg9NR6KnHiw@mail.gmail.com>
To: Ned Freed <ned.freed@mrochek.com>
Cc: "ietf@ietf.org Discussion" <ietf@ietf.org>, uta@ietf.org
Content-Type: multipart/alternative; boundary="883d24f22d7c242f200569a33899"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/uZvc8WMGzLXjqpMoJ2vEKYAlo1s>
Subject: Re: [Uta] Last Call: <draft-ietf-uta-mta-sts-15.txt> (SMTP MTA Strict Transport Security (MTA-STS)) to Proposed Standard
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 09:17:11 -0000

On 12 April 2018 at 00:49, Ned Freed <ned.freed@mrochek.com> wrote:
>
> > This workload is what I consider to be the antithesis of "intuitively
> > simpler".
>
> And once again I'm afraid what your intution is telling you is exactly the
> opposite of my experience. For me implementing this using a separate query
> server actually makes things much easier, not harder, in part because I'm
> not
> constrained to code things in C/C++, which is what the SMTP client is
> coded in.
>
> You might want to sit down and try mocking this up in, say, node.js. It may
> change your mind about the approach.
>
> And the client part is going to be maybe 50 lines of C code. Code of a sort
> I've written many, many, many times before. Hardly difficult.
>
>
That's all well and good, but people are saying that DANE is simple enough
to implement too.


> > > > c) Both/either of the above.
> > >
> > > > I assume the logic behind allowing a wildcard-to-wildcard match is to
> > > allow
> > > > a Google user to simply specify ".googlemail.com" and ".l.google.com"
> as
> > > > their MX identity patterns; however it feels as though Google could
> > > simply
> > > > use a known name within the certificate for all their receiving MTAs,
> > > > irrespective of the DNS records involved. This, of course,
> presupposes
> > > that
> > > > the administrator of the mail domain somehow does not know the
> precise
> > > > names of the MTAs used in their own DNS records.
> > >
> > > > I further assume the logic in mandating matches against dNSName SANs
> is
> > > > because these are readily available; however sRVName SANs, by
> restricting
> > > > their use to a particular service, have the advantage that customers
> > > giving
> > > > these to their service provider might be deemed more acceptable.
> > >
> > > A comparable effect can be achieved by using a subdomain root reserved
> for
> > > email server use.
> > >
> > > So it's a choice between an easily implemented naming convention  and a
> > > bunch
> > > of PKIX esoterica. This does not strike me as a difficult choice.
> > >
> > >
> > Well, being *able* to use sRVName would be nice at least. The
> specification
> > as written prevents it, which seems unfortunate.
>
> I have to say I like the simplicity of the current specification, and I
> don't
> want to see added complexity in this regard without a compelling reason for
> adding it.
>
>
OK, as long as you understand this embeds a hack into PKIX.


> > > >    o  MTA-STS Policy: A commitment by the Policy Domain to support
> PKIX
> > > >       [RFC5280] authenticated TLS for the specified MX hosts.
> > >
> > > > Impressively, by my reading, the commitment is for the Policy Domain
> to
> > > > support PKIX for all SMTP; and not just for specified hosts.
> > >
> > > Of course that's the commitment. How could it be otherwise?
> > >
>
> > Then that needs rephrasing, because I didn't see any "Of course" about
> it.
>
> > A commitment by the Policy Domain to support PKIX [RFC 5280]
> authenticated
> > TLS, using reference identifiers as listed.
>
> > (I'm trying to guess what was meant by "for the specified MX hosts".)
>
> The entire point of the mechanism is to say that the policy domain supports
> and wants SSL/TLS transfers and that the servers have validated certs
> with the specified names. So I really don't understand what you're getting
> at here.
>

It says "MX host", which, as near as I can guess, is used elsewhere to mean
a host used as a Mail Exchanger, and not either of the "MX Hostname" or the
"Reference Identifier".

Dave.

v2.23.0 | Report a Bug | By Email