Closed aykevl closed 7 years ago
Hey, thanks for the detailed feedback. A few comments:
Points 1-3: these are rectified in the KV_Version branch (which will become the master branch as soon as I do the merge ;) ).
Regarding the "numeric portion" bit, I have no idea what this refers to, either. Maybe @abrotman does.
All the rest is, I think, good actionable feedback. I'll try to address it all before the 08 draft.
I have a few more comments, of which two possible security considerations. Should I add them here or post them on the uta mailing list?
I would say editorial (of the nature above) are best tracked simply as issues, since they tend to be noncontroversial.
If they are more significant (as your Security Considerations may be), I would post on the UTA list so others can give feedback.
On Mon, Aug 14, 2017 at 7:03 PM Ayke notifications@github.com wrote:
I have a few more comments, of which two possible security considerations. Should I add them here or post them on the uta mailing list?
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/mrisher/smtp-sts/issues/171#issuecomment-322247900, or mute the thread https://github.com/notifications/unsubscribe-auth/AB1vi3EwfvCzc7snotKgjBHpsjZnH-E4ks5sYH3zgaJpZM4Ozqsa .
I think these were all addressed. Let me know if I missed anything.
I've written a small (possibly buggy) testing tool for MTA-STS: https://github.com/aykevl/mta-sts. While doing that, I found a few issues with the spec as it is. Some are things that I suspect are real issues or omissions, others may just be because I misunderstood some portion of the spec.
I've put this in a single issue so the issue list won't get flooded.
For the MTA-STS part:
.txt
extension I think this should betext/plain
. Maybe the Content-Type should be explicitly listed in the spec? What should a verifier do when it encounters another Content-Type?max_age
? In particular:Note that mail server may not be able able to use a cache similar to a browser or HTTP proxy.
"implementing a superset of this specification" seems vague to me - what is a superset? Maybe it's better to say something like "key-value pairs with an unknown key must be ignored to allow extension to this specification".
So, does that mean there can be invalid mx entries in the policy file? What should a parser do when it encounters invalid mx entries?
mode
)? Should a parser assume defaults (which?) or should the policy file be ignored altogether?max_age
formatted using an underscore? It makes sense in JSON (which is derived from JavaScript and can't contain dashes in variable names) but for key-value pairs (like mail or HTTP headers) using dashes seems to be more common. (But I don't really care about this - not worth bikeshedding about).And for the reporting side of the spec:
The ABNF for the TXT record mentions:
I don't get the "the numeric portion MUST fit within an unsigned 64-bit integer" part. What's the numeric portion? The only part I can think of is the port number, which is 16-bit. I also can't find anything about a numeric portion in RFC3986.
v=TLSRPTv1;rua=mailto:reports@example.com ;
would be illegal whilev=TLSRPTv1;rua = mailto:reports@example.com
would be legal, if I've interpreted the ABNF correctly.