Hi, > On 19 Mar 2016, at 11:20, Mark Risher <[email protected]> wrote: > > Dear UTA: > We have just submitted a proposal entitled SMTP Strict Transport Security, > which details a mechanism for protecting MTA-to-MTA email traffic against TLS > downgrade attacks and interception. > > The initial draft is at > https://datatracker.ietf.org/doc/draft-margolis-smtp-sts/ and we hope to > discuss this at the Buenos Aires meeting next month. While we have deployed a > prototype/reference implementation among the authors, we are very open to > feedback and suggestions from the broader group and look forward to your > input.
As already mentioned in two previous threads to this mailing list and a GitHub issue: I see a big problem with deployment of the webpki authentication part outside of big hosting environments. But I really do like the idea of getting feedback from/to MTAs. Can you guys think of a way we can get in-band reporting within e.g. SMTP (an extension)? EFF is currently picking up STARTTLS-Everywhere again (mind: it's been idle since before Let's Encrypt, a lot of new proposals like this one for mail came out - so the project, scope and even it's name are subject to change in the near future). One idea I had was to provide anonymised log information regarding TLS-failures / MITM attempts to distributed monitoring servers and the receiving party. If there were a more general document for error-reporting (as some suggested) - we could maybe make use of that as well. If it requires every small mail-OP to set up a webserver on the same machine, it's unlikely that we can push for that, and adoption number might turn out low. As for authentication/TOFU: I see no better proposal than TACK around. HPKP was an utter failure [0] and I fear that, for the very same reasons, SMTP-STS might not see a lot of deployment nor use in single-domain-setups. And there're quite a few around. While it's important to secure the majority of mail traffic between large providers - they're already doing well - we should not forget that there's still a lot of self-hosted MXs on the Internet. I could imagine an updated (e.g. using EdDSA over ECDSA etc) version of TACK fitted to SMTP. One of the original authors might be interested in working on that he told me earlier this year, unfortunately I did not have any time to pursue this idea further. Thanks, Aaron [0] http://news.netcraft.com/archives/2016/03/30/http-public-key-pinning-youre-doing-it-wrong.html
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
