On Thu, Sep 10, 2015 at 07:52:34PM +0200, Michael Ströder wrote:
> >
> > https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-2.2.1
> >
> > Since the protocol in this memo is an "opportunistic security"
> > protocol ([RFC7435]) the SMTP client MAY elect to use DANE TLS (as
> > described in Section 2.2.2 below) even with MX hosts obtained via an
> > "insecure" MX RRSet. For example, when a hosting provider has a
> > signed DNS zone and publishes TLSA records for its SMTP servers,
> > hosted domains that are not signed may still benefit from the
> > provider's TLSA records. Deliveries via the provider's SMTP servers
> > will not be subject to active attacks when sending SMTP clients elect
> > to make use of the provider's TLSA records (active attacks that
> > tamper with the "insecure" MX RRSet are of course still possible in
> > this case).
> >
> > I think the current "MAY" is sufficient for now, but if that proves
> > to be a valuable feature of the protocol, an a short update BCP
> > RFC upgrading the "MAY" to a "SHOULD" or "MUST" might be possible
> > in the future.
>
> Hmm...I can understand why you wrote it like this. But some people are more
> eager and want to push things into mandatory way. I wished DANE starts with
> "MUST" from the very beginning. It's a new standard and a big invest anyway.
It does start with MUST, when the MX RRset is "secure" *and* the
MX host address records are "secure" *and* "secure" TLSA records
are published. When the first condition is false, and you don't
actually get MiTM protection, there's a MAY. The MAY allows one
to get a secure-channel to possibly the wrong host (this is at
least tamper-evident if logs are read).
> > So long as such sessions are not reported as secure, and are not
> > accepted when DANE authentication is mandatory (e.g. Postfix
> > "dane-only" TLS security level), the proposal does not in any
> > way reduce the security of DANE as specified.
>
> Postfix's "dane-only" requires successfully validated signed MX RRs?
Requires all three conditions, and matching TLSA records for the
peer domain. If you know a domain has committed to implement DANE
and keep it that way, you can set the policy for that domain to
"dane-only".
> > So the proposal is not obviously damaging, just possibly premature.
> > We'll know more once there is more deployment and people either
> > learn (or don't learn) to operate their TLSA records correctly.
>
> People should be prepared that some MTAs will require signed MX RRs.
Not in the forseeable future. Without signed MX RRs, many sites
will not take advantage of DANE TLSA RRs for the corresponding MX
hosts even if present. That's different from requiring the MX
RRset to be signed in the first place.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
