Re: [yam] Russ Housley's Discuss on draft-ietf-yam-rfc4409bis-02: (with DISCUSS)
John C Klensin <john@jck.com> Wed, 24 August 2011 20:57 UTC
Return-Path: <john@jck.com>
X-Original-To: yam@ietfa.amsl.com
Delivered-To: yam@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50B2321F8D92; Wed, 24 Aug 2011 13:57:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.552
X-Spam-Level:
X-Spam-Status: No, score=-102.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHM-bmezAkq8; Wed, 24 Aug 2011 13:57:48 -0700 (PDT)
Received: from bs.jck.com (ns.jck.com [209.187.148.211]) by ietfa.amsl.com (Postfix) with ESMTP id CDCA621F8D8C; Wed, 24 Aug 2011 13:57:47 -0700 (PDT)
Received: from [127.0.0.1] (helo=localhost) by bs.jck.com with esmtp (Exim 4.34) id 1QwKX7-000Lg3-JH; Wed, 24 Aug 2011 16:58:45 -0400
Date: Wed, 24 Aug 2011 16:58:44 -0400
From: John C Klensin <john@jck.com>
To: Russ Housley <housley@vigilsec.com>, S Moonesamy <sm+ietf@elandsys.com>
Message-ID: <9FF24CD8B21A5EAD6E856220@PST.JCK.COM>
In-Reply-To: <D41B604F-9452-4F9F-80BA-1FE5B74B171E@vigilsec.com>
References: <20110822174540.26398.33846.idtracker@ietfa.amsl.com> <6.2.5.6.2.20110823123557.0d863778@elandnews.com> <D41B604F-9452-4F9F-80BA-1FE5B74B171E@vigilsec.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: richard Barnes <rbarnes@bbn.com>, draft-ietf-yam-rfc4409bis@tools.ietf.org, The IESG <iesg@ietf.org>, yam-chairs@tools.ietf.org, yam@ietf.org
Subject: Re: [yam] Russ Housley's Discuss on draft-ietf-yam-rfc4409bis-02: (with DISCUSS)
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2011 20:57:49 -0000
Speaking personally, not as editor. First, I can live, both personally and as editor, with Dave's latest proposed text (although I'd prefer to see S/MIME added back in). But I think that, in the quest of apparent precision, we are being a little unrealistic. There are digital signature systems around and in use that do not conform to the IETF-standardized versions of DKIM, PGP, and S/MIME. There are still environments in which message content is secured by computing a message integrity check values and then sending that value over a separate channel, independent of the message itself. In the general case -- the three IETF-standard protocols excluded-- we can't even have a general expectation that the Submission server will be able to recognize the presence of a signature mechanism because that mechanism may be supported through undocumented/non-standard message header fields or undocumented/non-standard envelope fields. In the case of out-of-band transmission of a MIC, there may be no hint at all in the envelope or message that a check is being done. Depending on the method used, what it signs or verifies, and what canonicalization is specified, many of the transformations explicitly permitted by submission servers may mess things up, usually be rendering a signature or separate MIC invalid. Keeping in mind that we assume, at least formally, that Submission servers are under the administrative control of the sender, we can sensibly advise that the sender make sure the Submission server is aware of any specialized constraints on its actions (not only ones associated with signatures, although those may be the most important case). We can sensibly advise (and probably should, given the concerns Russ identified about invalid signatures versus no signatures) that part of that Sender (or MUA) communication with the submission server include agreements about whether the Submission server should remove possibly-affected signatures, ignore the problem, re-sign the message with its own keys and mechanisms (or incrementally if that is feasible), or even return the message to the submitter with an explanation of the problem. Other than advising such communication (which is better than a dragon-warning, but maybe not much), there really isn't anything we can say here because such statements would be very method-dependent and possibly dependent on the submission environment (as well as too dependent on the details of less-mature protocols to be appropriate in a full standard). I think Dave's phrasing is better than the original, but I don't think we should delude ourselves that it supplies real advice. All it does is to make a statement about damage that can occur, leaving it to the imagination of the reader or implementer what should be done about it. In that sense, it is just a translation of the original "there be dragons" warning into slightly more attractive standards-language. Again, if that is what the community wants, I'm ok with it. But we are spending a lot of time on this for a very small incremental gain over either saying nothing or saying "Submission servers should be really, really, careful that their well-intentioned changes to messages don't screw things up". john
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… S Moonesamy
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Russ Housley
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Dave CROCKER
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… S Moonesamy
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Pete Resnick
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Ned Freed
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… S Moonesamy
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Dave CROCKER
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Ned Freed
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… John C Klensin
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Ned Freed
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… John C Klensin
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Frank Ellermann
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… John C Klensin
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Frank Ellermann
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… S Moonesamy
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… John C Klensin
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Pete Resnick
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… S Moonesamy
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Alessandro Vesely
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Barry Leiba
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Ned Freed
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… John Levine
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Murray S. Kucherawy
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… Tony Hansen
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… SM
- Re: [yam] Russ Housley's Discuss on draft-ietf-ya… S Moonesamy