Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL

Tony Finch <dot@dotat.at> Sat, 01 May 2010 20:23 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1703D3A67DB for <yam@core3.amsl.com>; Sat, 1 May 2010 13:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.152
X-Spam-Level:
X-Spam-Status: No, score=-1.152 tagged_above=-999 required=5 tests=[AWL=-1.753, BAYES_50=0.001, J_CHICKENPOX_43=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r3kiwu2GjcDL for <yam@core3.amsl.com>; Sat, 1 May 2010 13:23:52 -0700 (PDT)
Received: from ppsw-52.csi.cam.ac.uk (ppsw-52.csi.cam.ac.uk [131.111.8.152]) by core3.amsl.com (Postfix) with ESMTP id 8E6E73A68AB for <yam@ietf.org>; Sat, 1 May 2010 13:23:51 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:50683) by ppsw-52.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1O8JDs-0002Sf-Ga (Exim 4.70) (return-path <fanf2@hermes.cam.ac.uk>); Sat, 01 May 2010 21:23:36 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1O8JDs-0000xf-43 (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Sat, 01 May 2010 21:23:36 +0100
Date: Sat, 1 May 2010 21:23:36 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Chris Newman <chris.newman@oracle.com>
In-Reply-To: <4DE3D88239911A6791730051@96B2F16665FF96BAE59E9B90>
Message-ID: <alpine.LSU.2.00.1005012113140.27873@hermes-2.csi.cam.ac.uk>
References: <4DE3D88239911A6791730051@96B2F16665FF96BAE59E9B90>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: yam@ietf.org
Subject: Re: [yam] Interop problem: SMTP submission, STARTTLS, AUTH EXTERNAL
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 May 2010 20:23:54 -0000

On Fri, 30 Apr 2010, Chris Newman wrote:
>
> I've been dealing with client certificate authentication lately and realized
> we have an interoperability problem with our standards.  For SMTP submission,
> when an end-user wishes to authenticate using a client certificate, the
> protocol sequence to do so is unclear.

There is no specification for how SMTP+TLS interacts with any
authentication or authorization logic. There is no specification
for how SASL EXTERNAL interacts with security layers. Since the
problem is gaps (rather than errors) in the specifications I think
the right solution is:

Option 4: Write a spec for how SMTP + TLS + SASL EXTERNAL should work
together.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.