IETF Logo Mail Archive

Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS Proposal

Viruthagiri Thirumavalavan <giri@dombox.org> Mon, 07 January 2019 19:52 UTC

Return-Path: <giri@dombox.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCE1D124C04 for <uta@ietfa.amsl.com>; Mon, 7 Jan 2019 11:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dombox.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wSEqrtqdggs for <uta@ietfa.amsl.com>; Mon, 7 Jan 2019 11:52:03 -0800 (PST)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0597013107F for <uta@ietf.org>; Mon, 7 Jan 2019 11:52:03 -0800 (PST)
Received: by mail-yb1-xb2e.google.com with SMTP id w6so653864ybq.1 for <uta@ietf.org>; Mon, 07 Jan 2019 11:52:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dombox.org; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=W69dRYa7Dhis/fo93wbpgvTKS/wOI+CxvY0lXc2yBQE=; b=Z1Xi7LliMIHVfvCqTLlcGY9c2ZYlIyLmgVVW0bCiO5U9t3oDPAQkXNq+oZqStsVuqU wiNG9KB5xMbFeb89l7MAucbPcU6JWShpsDzjgo0VoMEVAXZzPLvNRKqefn6ntBSsiTLo B0xigs7g8uH/L6esGwpYqwhzx2avNIfvo/8+j0GT4eUtM7D4FynH8bYDj/igjCPJWcKf 4YJG1qUwFDI3hZnaoPHZyNEZfUxwNFaqw1ThQc8gRA27qrQbzNv02DUCN5W2Jc0V6pGe xw9nY2af3weLl/SlfXnrYtgWQ9jFkvgHivRwdrmmUZlFcg2Ja1qvrBCLFSmnUn+EzIz6 NT0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=W69dRYa7Dhis/fo93wbpgvTKS/wOI+CxvY0lXc2yBQE=; b=Ast0u/wfxWg/GWP1qt2yWlViwJcglkYxgFImZdUNNoQ2zInJ8eReix9us4cg8cz7eO cBThIXRdeb19Nq7NjHq9pXl4IAGp5iF95JkkFK6d8ne8AgjvyBK31wTTHWJpJldFUu6X 3kMaEEs4gpKmSQGDzsjYDK2CmPpVPWcaMK/1BEM9Xo0R4oXHIsYrtwKWIMR57AMWzU1O LZLu3wcvdn+0pfdxoh89TX1LUaoaJnyHZtUC5fuxNMsVvzALHpFD7LECK4ZFIxoulju0 UKwvTMlFbjNg4FKxbyKM/uPbgWamVGGMvimUtGwymCt3QL9Arp95Frum9qNC50tvdlvm xnCA==
X-Gm-Message-State: AJcUukej/crRZt2PjtWdIbXCXmFNPXmt3OEuunfw0uZKFkVf8fjFoMDd 6Z81EuqIajpDi+yk4SjZgKRHjgXczNDI0WXvSaMNPS1gFnE=
X-Google-Smtp-Source: AFSGD/Uiz89pLD2EDgyp1Y0w4LNypBJ+Ta8gbE0T0Xaq6L7eSFvovI2WG6hlBZuls+m1O1tb4/9JMVKBiSC6YvUAH8I=
X-Received: by 2002:a5b:48a:: with SMTP id n10-v6mr63611505ybp.89.1546890721580; Mon, 07 Jan 2019 11:52:01 -0800 (PST)
MIME-Version: 1.0
References: <CAOEezJTyEf+Sn9ZqQPue1DFUSoFO211YogJ6ufYJxswWzXk=_A@mail.gmail.com> <20190106010828.CC431200C5ED52@ary.qy> <CAOEezJShOYkmy8-E+8zG=CPXxrWNcxf8q8W8MnW-v1RT0FzEWw@mail.gmail.com> <123cecc0-aba2-9530-c0d9-b6437f295140@domblogger.net> <88fad90d-24b6-fe4d-5df8-bc294c4f6b33@bluepopcorn.net> <CAOEezJS+T3pP-GqwJFeT=HGbOu1TkY6W0kyjP9_FcVsaJ=hw7A@mail.gmail.com> <b4fe2502-dc1e-5dea-8515-b69ed262ac8f@domblogger.net> <CAOEezJTFxhRYGKQD0a8LLEL7UTPKmfdF5uYLDpZdj3Zm9P+wZw@mail.gmail.com> <35456e82-c149-864f-3312-cff55af68551@domblogger.net> <CAOEezJTTp-VDvChuTcG5yD4yAVe9M0eKZnN11tKXV79O53ai5w@mail.gmail.com> <542346640.18156.1546871078489@appsuite.open-xchange.com> <98be93f5-a637-3b89-d376-46cb2bcf2f61@domblogger.net> <CANtKdUcOsuve+5eWBua+RvkN3FTQFCd4wwXtPn9PR_gk68+h7Q@mail.gmail.com>
In-Reply-To: <CANtKdUcOsuve+5eWBua+RvkN3FTQFCd4wwXtPn9PR_gk68+h7Q@mail.gmail.com>
From: Viruthagiri Thirumavalavan <giri@dombox.org>
Date: Tue, 08 Jan 2019 01:21:50 +0530
Message-ID: <CAOEezJSAZS+a_ZE-aSvtiVgHfjtnOdaaaKYEZQu8CWwEB6vfug@mail.gmail.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f77abb057ee38f34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/vP8l7r7aMmMcMXPBpK2aV5HgeXw>
Subject: Re: [Uta] SMTP Over TLS on Port 26 - Implicit TLS Proposal
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 19:52:07 -0000

@Daniel Margolis

Thanks for the input. Really appreciate that.

@Vittorio Bertola

My apologies for being rude earlier. I was little upset when I saw your
post. I'm okay now. Again my apologies. I had to defend myself there.

I remember you from a few months ago on the DMARC-discuss list, when you
> tried to convince everyone that you had finally solved the problem of spam
> by introducing your proprietary standard "Sender Alias Domains" (where did
> that go?).


When you say something like that on this list, you are implying like "Hey,
this guy is not serious. You are wasting your time by helping him". And
that's much worse than the guys who attacked me on the DMARC list.

I think I already made it pretty clear. Trying to standardise a flawed
solution is the last thing I wanna do. So I have no problem if my proposal
get rejected due to flaws. But not because we already have STS and DANE.

This is how you responded

I would advise you to make sure that you fully appreciate the explanations
> that are given to you on why your proposal is fundamentally flawed, rather
> than just adjusting the original proposal a bit and keep posting it again.


I posted in ietf-smtp and this is how they responded

Especially if you are new, please interpret my response (and
> those of several others) as "we aren't convinced about your
> idea" or "we think there are better alternatives", not as "your
> proposal is bad and will cause problems".   I'd like to see a
> lot more discussion before the latter conclusion is reached
> although I'd encourage you to read the comments carefully and
> see if they suggest ways to improve the proposal.  I believe
> that it is very important that new ideas to which long-time
> participants have initial negative reasons get careful
> consideration and every reasonable chance to succeed before they
> are dismissed.


They even go an extra step to show their hospitality

Also, the IETF functions much better when document proposals are
> posted as Internet Drafts.   See
> https://www.ietf.org/standards/ids/ and
> https://datatracker.ietf.org/submit/tool-instructions/ and the
> other headings on the latter page.   Under normal circumstances,
> I'd volunteer to help you get an Internet-Draft together from
> you github posting but this week is just too busy.  Perhaps
> someone else can help you get started (that is a call for
> volunteers, folks), otherwise please get back to me next week.

welcome to the IETF.


These folks are down to earth. And I would be ready to work with them any
day.

Feel free to criticise my work. I even thanked many people in this list for
that. But please don't insult me just to prove a point.

I'm gonna continue this proposal discussion in ietf-smtp list. I wish you
good luck and my apologies once again for what I said earlier.

Thanks

On Mon, Jan 7, 2019 at 9:59 PM Daniel Margolis <dmargolis=
40google.com@dmarc.ietf.org> wrote:

> Yeah, I wanted to chime in on this thread to say something similar. ;)
>
> I have always admired how modern browsers have been able to really push
> the boundaries on security UI (e.g. showing warnings for weak ciphers, etc)
> and consequently change the state of security for most of the Web
> ecosystem. I would (speaking personally here) love to see major mail
> providers do something similar to what Alice said and sunset weak
> (unencrypted, or unauthenticated) SMTP.
>
> But there are, I think, at least two ways in which mail is somewhat
> different than the Web for this:
>
> 1. There's no great *synchronous* UX to show users auth failures or
> downgrades and get them to approve, nor do identifiers even indicate an
> expected state of security. (Users who enter "https" manually--which
> admittedly is probably a very rare behavior--are explicitly indicating
> something akin to Require-TLS, whereas email traditionally has no such
> indicator; more importantly, perhaps, there's no great mechanism to show
> users "we tried STARTTLS but couldn't negotiate it; do you want to
> continue?" since mailing is async.)
>
> 2. Mail is quite commonly outsourced to a hosting provider, so you can't
> just require server identities to match the @domain--you need to somehow
> validate the MX.
>
> Admittedly both of these problems are fixable with existing technologies:
> a Webmail provider could check for DANE and DNSSEC on the MX zone and warn
> users at message compose time where it's not present, for example. But it
> does feel to me hard to shoehorn this into the SMTP ecosystem as it
> currently exists, though perhaps we're all just too incrementalist or
> something.
>
> I do see improvements, however--notably, that opportunistic TLS is now
> very common, DANE is of increasing usage, and MTA-STS hopefully provides an
> alternate for those who cannot adapt DANE, and Require-TLS is an experiment
> in giving users that UI control. So I think things are moving in the right
> direction.
>
> Viruthagiri, I appreciate the bold suggestions. New things would never
> happen without them! If people are a little crusty sometimes, I think it's
> only feedback about the difficulty of fully understanding context and
> history when making a new proposal.
>
> Dan
>
> On Mon, Jan 7, 2019 at 3:42 PM Alice Wonder <alice@domblogger.net> wrote:
>
>> On 1/7/19 6:24 AM, Vittorio Bertola wrote:
>> >
>> >> Il 7 gennaio 2019 alle 13.23 Viruthagiri Thirumavalavan
>> >> <giri@dombox.org> ha scritto:
>> >>
>> >> @Vittorio Bertola
>> > Hello,
>> >
>> > it looks like you misinterpreted my reply completely, reading things in
>> > it that I never thought or said, but in any case, if you felt offended
>> > by it, I apologize. I actually think that the IETF is often too
>> > unwelcoming and rude to new participants and I do not want to be part
>> of
>> > that attitude at all. At the same time, though I actually praised your
>> > boldness in repeatedly trying to tackle big issues, the consensus seems
>> > to be that your proposal cannot be supported, no matter how much you
>> fix
>> > it, and so there is not much help we can give you, other than
>> explaining
>> > to you the technical reasons for that conclusion, as I did in my reply;
>> > please accept the conclusion without taking it as a personal attack.
>> >
>>
>> Hear hear, and I share the passion too.
>>
>> If it were up to me, an RFC would be published deprecating opportunistic
>> TLS for SMTP.
>>
>> System administrators would have three years, but after that, TLS 1.3+
>> would be required for SMTP.
>>
>> Reason for TLS 1.3+ is that it requires ciphers with forward secrecy.
>>
>> But I know it will never fly. It's what I want though.
>>
>> _______________________________________________
>> Uta mailing list
>> Uta@ietf.org
>> https://www.ietf.org/mailman/listinfo/uta
>>
>
>
> --
> How's my emailing? http://go/dan-email-slo
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>


-- 
Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.

v2.23.0 | Report a Bug | By Email