ietf
[Top] [All Lists]

Re: SMTP authentication (not soon)

2014-07-09 20:46:15
Umm every major email client already has STARTTLS using PKIX Authentication
using the WebPKI roots. Go take a look at them.

So how can it be impractical to do something that has already been routing
for over a decade?


You might well want to apply a security policy grounded in DNS and you
might well choose DANE/DNSSEC for that but you could equally do DANE on its
own or inband signaling such as pinning.

Yes, I know that the STARTTLS draft does have a confused statement on the
subject ruling out use but that doesn't mean it is correct and it has been
routinely ignored in the major implementations because they were using
WebPKI client side before STARTTLS was proposed.





On Wed, Jul 9, 2014 at 9:49 AM, Viktor Dukhovni 
<ietf-dane(_at_)dukhovni(_dot_)org>
wrote:

On Wed, Jul 09, 2014 at 12:27:18PM +0100, Stephen Farrell wrote:

And even though we do IMO have a really good success
story for OS with recent deployments of STARTTLS for MTA-MTA SMTP,
it'll be interesting to see if the non-authenticated cases there
transition towards authenticated endpoints or not over time so we
might be better off waiting a while to find out stuff like that
before writing BCP text.

Transition to PKIX authentication is unrealistic for SMTP.


http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10#section-1.3

so any large-scale use of authenticated STARTTLS with SMTP is
predicated on DANE adoption, which is predicated on DNSSEC deployment.

While I am hopeful that the pace DNSSEC adoption will pick up, this
will take some time.  It would help if more applications than a
single MTA took advantage of DANE, motivating broader DNSSEC adoption.

The SMTP problem is generic to any protocol that is opportunistic
and uses DNS indirection (MX, SRV, ...).

Thus, while Facebook's SMTP security report seems to suggest that
they expect or hope for SMTP authentication via CA certificates to
become more prevalent, they are misguided.  PKIX CA authentication
with SMTP without per-destination manual settings gives at best
illusory security.  There is little point in deploying public CA
issued certs on public MX hosts unless one has static reciprocal
authentication arrangements with partner domains.

--
        Viktor.


<Prev in Thread] Current Thread [Next in Thread>