Re: [ietf-smtp] [Uta] New Version Notification for draft-levine-additional-registered-clauses-002019-01-24 15:41:35I suggest calling out ESNI specifically as a reason to not log the SNI in the security considerations, e.g. via: OLD: In a few circumstances, a new Additional-registered-clause might disclose information to a recipient that was otherwise unavailable. NEW: In a few circumstances, a new Additional-registered-clause might disclose information to a recipient or other actor (via data leaks) that was otherwise unavailable. In particular, if the SNI value was encrypted in the TLS handshake [ESNI] then logging is NOT RECOMMENDED. [ESNI] would point at draft-ietf-tls-esni Even if this isn't a big leak, I think it's still worth preserving a way in which SNIs don't leak - if the TLS client and server and TLS client's DNS setup (and maybe the TLS server's too) are all such that we've not leaked the SNI in any of those places then I think we're better off if we can avoid leaking it here. There have been real data leaks of mails where metadata like this has been revealing [1] and we can't tell in general if some new bit of data might be correlated with something else later. Cheers, S. [1] https://labs.rs/en/metadata/ On 24/01/2019 19:56, John R Levine wrote: Apropos of recent discussions about SNI logging, here's a draft that adds an SNI clause to Received: headers, and per Chris Newman's suggestion, changes the registry criteria to Expert Review so you don't need to publish an RFC merely to register a new clause. Regards, John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ---------- Forwarded message ---------- Date: Thu, 24 Jan 2019 14:44:52 From: internet-drafts(_at_)ietf(_dot_)org A new version of I-D, draft-levine-additional-registered-clauses-00.txt has been successfully submitted by John Levine and posted to the IETF repository. Name: draft-levine-additional-registered-clauses Revision: 00 Title: Update to Additional Registered Clauses in SMTP Received Headers Document date: 2019-01-24 Group: Individual Submission Pages: 4 URL: https://www.ietf.org/internet-drafts/draft-levine-additional-registered-clauses-00.txt Status: https://datatracker.ietf.org/doc/draft-levine-additional-registered-clauses/ Htmlized: https://tools.ietf.org/html/draft-levine-additional-registered-clauses-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-levine-additional-registered-clauses Abstract: SMTP servers add Received: trace headers to mail messages to track their progress This document updates the registration criteria for Additional Registered Clauses in those headers to Expert Review, and adds a new clause for Server Name Indication (SNI). _______________________________________________ Uta mailing list Uta(_at_)ietf(_dot_)org https://www.ietf.org/mailman/listinfo/uta
0x5AB2FAF17B172BEA.asc
signature.asc _______________________________________________ ietf-smtp mailing list ietf-smtp(_at_)ietf(_dot_)org https://www.ietf.org/mailman/listinfo/ietf-smtp
|
|