[dmarc-discuss] Is DMARC the right place for SMTP-TLS policy and reporting?
msk at fb.com
Tue Jun 19 22:43:18 PDT 2012
I don't understand the characterization you have in the first paragraph. Both SPF and DKIM independently identify some party (in the form of a domain name) that takes some responsibility for the handling of the message, although they go about it differently and have disjoint failure modes.
To flip your "same hop" logic around: If SPF and TLS evaluate the same hop, why not go with the far cheaper option? SPF consists of only a couple of DNS queries and some simple logic; the same cannot be said for TLS.
Are there significant scenarios in which SPF (and DKIM, for that matter) fail but TLS passes? If you're identifying a serious false negative issue, that's definitely something we need to consider.
Also, until DANE is widely deployed, TLS as a client authentication mechanism is only available to those who purchase CA-signed certificates. That has the feeling of being somewhat exclusionary, where DMARC has been trying to be as open as possible.
From: Chris Lamont Mankowski <makerofthings77 at gmail.com<mailto:makerofthings77 at gmail.com>>
Date: Wed, 20 Jun 2012 01:11:12 -0400
To: "John R. Levine" <johnl at iecc.com<mailto:johnl at iecc.com>>
Cc: <dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>>
Subject: Re: [dmarc-discuss] Is DMARC the right place for SMTP-TLS policy and reporting?
I don't think it's accurate to say this is about compliance verses S/MIME because that conversation is tangential to why I started this thread; I want to refocus on the part where SPF authenticates the sender, and DKIM reports the outcome.
Considering that TLS occurs at approximately the same hop when a SPF record is validated, and if SPF will be reported on via DKIM why shouldn't TLS be evaluated similarly? TLS provides an alternative method of validation to SPF that may be complimentary in some situations. In situations such as legal or financial documents it could enhance overall security and trust in the message.
John quoted my comment on how Google's planned MUA will show a special icon for validated messages. Continuing on that train of thought: If TLS policy is excluded from the DMARC spec, and MUAs end up showing a validation icon, does that imply that when a message is sent TLS Secured users will have yet another icon?
I'm envisioning a situation where a single email has so many validation icons it looks like the message was sponsored by Nascar. Users will be overwhelmed and won't be able to tell the difference.
The last time a significant user change was implemented someone invented the EV HTTPS certificate (the green bar in the URL) that provides no technical value other than the insurance that only applies to e-commerce sites. I want to prevent a repeat of what I consider misguided history and add some real security backbone to what is displayed to the end user.
* I want to define the version of TLS that was used (TLS 1.1 or newer in my case)
* The cipher must be RSA2048 or DHE
* The hash must be SHA2 or newer
* The subject name (or SAN) must match the sending domain
* (optional) the cert must be trusted in the root store
* (optional) the cert must have a thumbprint equal to xxx (allows for self signed certs)
* (optional) DNSSec is used for all certificate operations (to allow full compatibility with .gov)
I think DMARC can cause great things in MUAs to occur, and I'm elated it's being proposed but see that incorporating TLS policy and reporting as an essential component before anything is displayed to the end user as being secure.
On Wed, Jun 20, 2012 at 12:38 AM, John R. Levine <johnl at iecc.com<mailto:johnl at iecc.com>> wrote:
S/MIME could be an option for some industries, but I'm a finance vertical
and we are required to have a supervisory compliance agent review our
electronic communications. (See Smarsh.com or Proofpoint Archive as an
Hmmn. If this is about compliance, I think it's considerably outside the scope of what DMARC is intended for. But I'll defer to Murray to explain.
John Levine, johnl at iecc.com<mailto:johnl at iecc.com>, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________ dmarc-discuss mailing list dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dmarc-discuss