Hi Nico, On 11/27/2013 05:42 PM, Nico Williams wrote: > On Mon, Nov 25, 2013 at 09:51:41PM +0000, Stephen Farrell wrote: >> New work on improving hop-by-hop security for email and other >> things is getting underway in the IETF. [1] Basically the idea > > I see nothing in the proposed charter you linked to about hop-by-hop > security.
Isn't the "Using TLS" part enough? At least for the applications listed. Could be worth adding a sentence to the charter though I guess. > I could imagine something like Received headers to document how each > SMTP (and SUBMIT) end-point was authenticated (if they were) along a > mail transfer path. This would be of some utility, particularly for > *short* paths (MUA->MSA->MTA->mailbox); for longer paths this loses its > utility. Not sure I get the utility there, at least as in scope for this proposed WG. Do you mean the receiving MUA would display the message differently or something? There might be an idea there though if some of the hops used e.g. anon-DH and someone developed a generic witness protocol to help try spot MITM attacks on that, and if the MSA and MTAs DKIM-sign messages, then a message header field containing the inbound & outbound witness-protocol PDUs that was included in the DKIM signature could be good. That sounds like it'd be a bit out the scope for UTA but if that's what you meant (or similar) but I'd say a mail to apps-discuss on that would be useful. But I don't think we'd want the UTA WG to be the one to develop a protocol for how to post-facto spot a MITM on anon-DH or other TLS sessions though. (Anyone got suggestions for that btw? Probably a different thread though.) (And yes, the above would depend on DKIM public key records in the non-DNSSEC DNS, so a DANE like thing and DNSSEC would be stronger, but given that lots of large and small mail services already do DKIM and don't change their keys that often, even the non-DNSSEC thing might be good enough.) Cheers, S. > > Nico > _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
