> On May 2, 2018, at 12:54 PM, [email protected] wrote:
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-uta-smtp-tlsrpt-19
Two observations triggered by reading the diff:
1.1 Terminology:
The definition of MTA-STS describes the MTA promising STARTTLS,
specifying the valid presented identities, ..., but the DANE
definition just mentions "constraints", which is neither comparably
complete nor correct:
OLD: [compare with MTA-STS policy]
o DANE Policy: A mechanism by which administrators can specify
constraints to be used to validate certificates presented by an
MTA. DANE is defined in [RFC6698] and [RFC7672].
NEW:
o DANE Policy: A mechanism by which administrators can use DNSSEC
to commit an MTA to support STARTTLS and to publish criteria to
be used to validate its presented certificates. DANE for SMTP
is defined in [RFC7672], with the base specification in [RFC6698]
(updated in [RFC7671].
The definition of "Policy Domain" is not complete, it is *not* always
the envelope recipient domain. Indeed for MTA-STS it may be a "smarthost"
gateway en-route to the destination domain. And for DANE the policy
domain is the "TLSA base domain" associated with the remote SMTP server.
Typically this is the hostname of the receiving SMTP server, or its
full CNAME expansion as described in RFC7672.
OLD:
o Policy Domain: The domain against which an MTA-STS or DANE Policy
is defined. This should be the same as the recipient envelope
domain [RFC5321], such as if the message were going to
"[email protected]', the policy domain would be "example.com".
NEW:
o Policy Domain: The domain against which an MTA-STS or DANE Policy
is defined. For MTA-STS this is typically the same as the envelope
recipient domain [RFC5321], but when mail is routed to a "smarthost"
gateway by local policy, the "smarthost" domain name is used instead.
For DANE the Policy Domain is the "TLSA base domain" of the receiving
SMTP server as described in [RFC7672] (Section 2.2.3) and [RFC6698]
(Section 3).
The text in Section does not make it clear to what name the prefix "_smtp._tls"
should be prepended. I think this would be the "Policy Domain" above. This
should be explicit. With DANE since policy is per-MX-host and different
parties may operate different MX hosts, it is natural to align the reporting
address with the operator's domain (by looking under the TLSA base domain
for both "_25._tcp" TLSA records and "_smtp._tls" report policy).
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
