IETF Logo Mail Archive

Re: [Uta] draft-martin-authentication-results-tls-00.txt

Chris Newman <chris.newman@oracle.com> Mon, 03 March 2014 14:39 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E6591A01DB for <uta@ietfa.amsl.com>; Mon, 3 Mar 2014 06:39:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.148
X-Spam-Level:
X-Spam-Status: No, score=-4.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_36=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Z2KbrUyRCkN for <uta@ietfa.amsl.com>; Mon, 3 Mar 2014 06:39:18 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 008001A01DD for <uta@ietf.org>; Mon, 3 Mar 2014 06:39:17 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s23EdDlB005124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 3 Mar 2014 14:39:14 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s23EdAD1001584; Mon, 3 Mar 2014 14:39:11 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"; format="flowed"
Received: from [10.175.6.72] (dhcp-uk-twvpn-1-vpnpool-10-175-13-253.vpn.oracle.com [10.175.13.253]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built Jan 22 2014)) with ESMTPA id <0N1V0017P7D7W100@gotmail.us.oracle.com>; Mon, 03 Mar 2014 06:39:10 -0800 (PST)
Date: Mon, 03 Mar 2014 14:39:06 +0000
From: Chris Newman <chris.newman@oracle.com>
To: Franck Martin <franck@peachymango.org>, uta@ietf.org
Message-id: <D80D263EF16870240BAF05B3@96B2F16665FF96BAE59E9B90>
In-reply-to: <335401184.8514.1393846443039.JavaMail.zimbra@peachymango.org>
References: <233559187.7077.1393833441181.JavaMail.zimbra@peachymango.org> <WM!28c70c1d46516949cf7f9bf8cde9cd85c4e619555a8dbb69689f5c7317bc85fef4f03b79fffcd6368f70a1fbccb8b85a!@asav-2.01.com> <335401184.8514.1393846443039.JavaMail.zimbra@peachymango.org>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/zIe8FTvV7Qr6JKcMNo3gzgOq2g4
Subject: Re: [Uta] draft-martin-authentication-results-tls-00.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 14:39:19 -0000

--On March 3, 2014 5:34:03 -0600 Franck Martin <franck@peachymango.org> 
wrote:
> Following a suggestion at last IETF meeting to codify TLS results in
> email please find the following:
>
> A new version of I-D, draft-martin-authentication-results-tls-00.txt
> has been successfully submitted by Franck Martin and posted to the
> IETF repository.
>
> Name: draft-martin-authentication-results-tls
> Revision: 00
> Title: Authentication-Results Registration for TLS
> Document date: 2014-03-03
> Group: Individual Submission
> Pages: 6
> URL:
> 
http://www.ietf.org/internet-drafts/draft-martin-authentication-results-tls-00.txt 
Status:
> https://datatracker.ietf.org/doc/draft-martin-authentication-results-tls/
> Htmlized:
> http://tools.ietf.org/html/draft-martin-authentication-results-tls-00
>
>
> Abstract:
> This memo updates the registry of properties in Authentication-
> Results: message header fields to allow relaying of the results of an
> email sent using STARTTLS [RFC3207] or not.

I reviewed this draft and have several concerns.

I believe the "tls.client" field is harmful. It includes information that 
appears to have value but has none in practice due to lack of standardized 
client certificate validation rules and thus may be misused by spam 
filters. If you have an argument about why this information is useful, I'd 
be interested in hearing it.

The same complaint applies "tls.server", but it is additionally problematic 
absent information about whether the client claims to have verified the 
server's identity (such information could be gathered by the SMTP CLIENT 
command described in draft-newman-email-deep).

The "tls.strength" field is a value judgment that is derived from the 
tls.cipher field. However, the community's evaluation of the strength of a 
cipher suite changes over time so this becomes inaccurate over time. It's 
been my experience that protocols are better if they omit value-judgments 
and derived values.

I believe including the "tls.cipher" field in a received header rather than 
an authentication results header is more useful because it then correlates 
with the host and IP addresses of the relevant connection endpoints 
creating a more complete connection trace field.

I invite you to critique draft-newman-email-deep. It's still version -01 
and needs refinement and review. If there is an element or goal of your 
draft you feel is important and is not covered by draft-newman-email-deep, 
I'd like to understand that and make sure it is covered.

		Thanks,
		- Chris

v2.23.0 | Report a Bug | By Email