On Tue, Aug 08, 2017 at 05:30:18PM +0300, Ilari Liusvaara wrote:

> > Thanks for the thorough writeup. A question about the "requirements" stated:
> > 
> > > 3.  It should be possible to remove policy in a timely manner.
> > 
> > What do you mean by "remove" and "not having" a policy? What specific
> > behavior do you want from senders?
> The way I understand the request, it is full clear of policy, that is:
> - The existing policy is (immediately) invalidated.
> - The policy cache entry for the recipient is deleted.
> And since there is no policy anymore:
> - All certificate validation per the policy ceases.
> - All reporting per the policy ceases.
> - There is no difference in delivery behavior (for future deliveries)
>   from STS policy having never existed.
> This is similar behavior with what happens with HSTS if valid HSTS
> header with max-age=0 is ever received: The HSTS policy is instantly
> deleted and the name reverts to non-HSTS operation (http:// connections
> work and certificate errors can be clicked through).

Correct.  Full removal of any prior evidence of SMTP STS Policy, but
because SMTP STS has both a DNS TXT record and a policy obtained via
HTTPS, the process of policy removal involves more steps on both sides.

For example, policy removal should not result in an intermediate
state where the client is constantly refetching the max_age=0 STS
policy (because the TXT record is still visible, but the cache
has been flushed).

I had considered using NXDOMAIN/NODATA, instead of an empty id, to
signal policy removal (provided the other end returns max_age =
0), but this leads to a problem, because some DNS libraries (e.g.
libresolv) make it difficult to obtain the TTL of a negative reply.
With no TTL for NXDOMAIN/NODATA it is not clear how often one should
attempt to poll for "max_age = 0", and with TXT record removed, it
can no longer trigger early refresh. 


[ It is unfortunate that DNS NXDOMAIN/NODATA is often considered a
  lookup error, whereas it is actually a lookup success, that yields
  an empty result.  DNS APIs should expose negative TTLs, but not
  all do. ]

Uta mailing list

Reply via email to