On Mon, Oct 22, 2018 at 11:46:27AM +0200, Daniel Margolis wrote:
> > Close, but this conflates two issues: (1) making sure that the MX record
> > hasn't been forged (which MTA-STS or DNSSEC in the mailbox domain will do)
> > and authenticating the mail server (which the certificate chain or DANE in
> > the mail server's domain will do).
>
> True. So you could rephrase this as "(MTA-STS *or* DNSSEC on the MX
> records) *and* (CA-signed certs *or* DANE on the MX hosts)". (MTA-STS also
> requires CA-signed certs, of course.) But this feels like a somewhat weird
> matrix for an admin to understand how to satisfy, no?
After thinking this over, I too can live with a "REQUIRETLS=YES"
that uses:
* DANE when the MX RRset is signed, and the MX host has
TLSA records. But otherwise,
* Web PKI cert when the MX RRset is signed, but no
DANE TLSA records are published. But otherwise,
* MTA-STS when the domain's MX RRset is unsigned. Else,
* Failure
The idea being that STARTTLS stripping is already addressed by
"REQUIRETLS=YES", and a DNSSEC-signed RRset addresses MX record
forgery, so that remains is authentication, and if TLSA records are
not published, if we're willing to accept with MTA-STS which only
protects the MX RRset after first contact, we should be willing to
accept WebPKI for DNSSEC-signed MX records.
This creates an asymmetry of policy mechanisms between TLS policy
from the server, and TLS policy from the client, slightly complicating
MTA implementations, but it looks manageable.
And yet, my preference would have been to not take this approach.
Rather each domain that wants to support "REQUIRETLS=YES", would
need to implement MTA-STS or DANE. If they already have a signed
MX RRset, they could often just add TLSA records and have DANE for
little extra effort.
The "fly in the ointment" is that many domains are signed, but their
MX providers are not, and so they would then have to implement
MTA-STS, just to benefit from protection against MX record forgery
that they already have by virtue of DNSSEC.
Therefore, for now, perhaps Jim's compromise is about right.
There are ~9 million DNSSEC signed domains, but as yet only ~334
thousand have DANE MX hosts, but a large fraction are hosted by
providers with WebPKI certs (just ~1 million on redirect.ovh.net
alone...).
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
