Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
John R Levine <johnl@taugh.com> Thu, 23 June 2022 17:42 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2936C13CD89 for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 10:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, SPOOF_COM2OTH=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=kCKvlVlm; dkim=pass (2048-bit key) header.d=taugh.com header.b=pZY7nxrL
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m_8XBubPjiGU for <uta@ietfa.amsl.com>; Thu, 23 Jun 2022 10:42:49 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 931A4C159481 for <uta@ietf.org>; Thu, 23 Jun 2022 10:42:49 -0700 (PDT)
Received: (qmail 96669 invoked from network); 23 Jun 2022 17:42:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=17999.62b4a617.k2206; bh=ky+DS7qM+8RP7G7IP2oXnHFgF8emjKGgtnhxS/g7mfc=; b=kCKvlVlmD4IRZ7jQoEqDBf86soLh1xY0kzqS9XKaeP4gLNpNg2TOcBqG4vX2pRmmp6qJjF5vlUFrid6+ljkCFZhokqlrFgz2xEcT67c5dwhIDpjhpRDZEPSXaygSK7BnQN5hMF1iq5uTESF0diLrAr6S6nUc8fI1V1z2ZxqjUP1S14m764EApjt/n1HqeJHgyDACOBtBK+KYFzxllHNNfEcbb7iwDW60twuRrI+ZDPXvvUZjXeQYDu3CDkjz4qdDhRbBtyRA8Y/YqQGBPDjc59Ht3IIadYyNhF3c4/PGYPM3nr2BI9BvJt3mGRlvYcXciqz7+eBeegMp0tCfrvE18Q==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=17999.62b4a617.k2206; bh=ky+DS7qM+8RP7G7IP2oXnHFgF8emjKGgtnhxS/g7mfc=; b=pZY7nxrLM6M7eqNIoimYbLSmyuiYeJEyvqJf6UW2klyq4xD6vWVfDriRAgz5HhCCd+bWoMWFv6DdieiJ2ZY56vUTWo8ZR5ggdyhDa74B3Nqk2a1OuRCd4vL3oWF9oIolA9YNwcIvjrfdocdZCPDOSx9kvXSmIvtmngLnAIWBVzHMXmx0gIxT1+jZl/u1QMGe4VyUMkeRZBFPsVokSnKt5mDIMSCm7JrgkDU4dlu/I+SGiAMJKtWOOlFw2xuaHHIOCcuFSjyaWsXxBbVGWwIAUtrk95AAq0Prje50HNCfsdMmVMGhfyke/k1b0odRyFHbJCGm43mtpH9WzCQEucVY2w==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 23 Jun 2022 17:42:47 -0000
Received: by ary.qy (Postfix, from userid 501) id A2EA34427B9E; Thu, 23 Jun 2022 13:42:46 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 379C54427B80; Thu, 23 Jun 2022 13:42:46 -0400 (EDT)
Date: Thu, 23 Jun 2022 13:42:46 -0400
Message-ID: <93ea21b8-f62c-1196-1587-7a5a97a81da2@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Peter Saint-Andre <stpeter@stpeter.im>, uta@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <0d44d21b-671d-d916-e0ac-29013fbd3f65@stpeter.im>
References: <20220623164409.E3244442721A@ary.qy> <0d44d21b-671d-d916-e0ac-29013fbd3f65@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/vdNAcAyMRPn0P9bsuHXG3g5w0Qw>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 17:42:55 -0000
On Thu, 23 Jun 2022, Peter Saint-Andre wrote: >>>> - section 3.2: I wondered why no mention of MTA-STS or >>>> DANE? Could/should we say that MTA implementations >>>> SHOULD include support for such strictness? > Hi John, thanks for sharing these insights. I'll reach out to a few Comcast > colleagues regarding DANE. We the authors of course want to recommend what's > best current practice, thus the interest in how widely deployed these > technologies are. Another wrinkle is that MTA-STS is specific to the email > world, whereas DANE has at least been defined as a more generalized > technology and deployment might vary across application protocols (e.g., I > know there has been some adoption of DANE in the XMPP community but it is far > from ubiquitous). Among the reasons that DANE in e-mail is less common is that it is tricky. Until MTA-STS and DANE, when a mail server started a TLS session it could and usually did present a random self-signed certificate and nothing checked it. But now it has to present a cert that matches the name that the client expects. It is very common for a single mail server to handle mail for a zillion different domains. Sometimes all the MX records point to the same name for the mail server, e.g.. all of Gmail's hosted domains point to aspmx.l.google.com., but sometimes each domain has its own name, e.g. the MX for tucows.com is mx.tucows.com.cust.hostedemail.com. This means the mail server has to have a cert for every name that points to it and use SNI to return the correct one. I added SNI to my mail server and have a library of 100 certs for the 100 domains it handles but as you know I am strange. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [Uta] I-D Action: draft-ietf-uta-rfc7525bis-07.txt internet-drafts
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Martin Thomson
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Stephen Farrell
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Yaron Sheffer
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Mattsson
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Thomas Fossati
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John R Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni
- [Uta] Multi-Server Deployments (was: Re: I-D Acti… Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… John Levine
- Re: [Uta] Multi-Server Deployments (was: Re: I-D … Martin Thomson
- Re: [Uta] Multi-Server Deployments (was: Re: I-D … Peter Saint-Andre
- Re: [Uta] I-D Action: draft-ietf-uta-rfc7525bis-0… Viktor Dukhovni