Migration of Questions mailing list

[Martijn Katerbarg]

Hi folks,

Looking for opinions and/or other alternatives on how to migrate the questions mailing list.

 

The problem with this one is, the address is incorporated in several documents, including our Bylaws and TLS BRs which cannot be changed without multiple ballots. There are a few different options for us to take:

 

• Migrate the mailing list just like the others, but redirect emails coming into the old address to the new address.
• Downside: Since the redirect goes through Gmail, the from header is rewritten and thus the original sender can only be found in the message headers. This makes it complicated (and annoying) to respond to messages.
• Migrate the mailing list just like the others, and block the old email address, responding with a bounce message stating where the email should be sent instead.
• Technically this could allow a CA to circumvent a requirement, but I don’t believe any requirement involving the address has been used for a long time.
• Setup the new mailing list, but keep both active until the documents have been updated.
• This will likely keep out old server around for several more months.

 

 

Personally I’m a fan of the second option, but perhaps there are people here with alternative ideas, or that are completely against the second option.

Thoughts, please.

Regards,

Martijn

[Paul van Brouwershaven]

Hi Martijn,

I'm a little confused what is causing the problem for the first option, that seems to be a very straightforward solution that is widely used

Smtp:3.131.80.79 is answered by Postfix

Postfix provides multiple way to REDIRECT email to other internal or external addresses, for example via the virtual_alias_maps.

This does not change the from header, which might be done by Google Groups.

Paul

---

From: 'Martijn Katerbarg' via Infrastructure (CA/B Forum)
Sent: Tuesday, October 15, 2024 16:50
To: infrast...@groups.cabforum.org
Subject: [EXTERNAL] [Infrastructure] Migration of Questions mailing list

--
You received this message because you are subscribed to the Google Groups "Infrastructure (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to infrastructur...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/SA1PR17MB65036B507BB992A4E9AF7378E3452%40SA1PR17MB6503.namprd17.prod.outlook.com.
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Wellbeing Notice: Receiving this email outside of normal working hours? Managing work and life responsibilities is unique for everyone. I have sent this email at a time that works for me.
Unless this email is specifically marked urgent, please respond at a time that works for you.

[Martijn Katerbarg]

Hi Paul,

 

> This does not change the from header, which might be done by Google Groups.

That exactly is the issue. We currently have 2 outbound SMTP hosts for our postfix setup, it’s SES and it’s GMAIL. SES won’t accept redirect unless the original-From has been whitelisted, i.e., that won’t work. Gmail rewrites the message headers to the message is shown coming from our own gmail address, thus causing the problems listed in the “Downside” bit.

 

Regards,

Martijn

 

From: 'Paul van Brouwershaven' via Infrastructure (CA/B Forum) <infrast...@groups.cabforum.org>
Date: Wednesday, 16 October 2024 at 13:11
To: infrast...@groups.cabforum.org <infrast...@groups.cabforum.org>
Subject: [Infrastructure] Re: Migration of Questions mailing list

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/DS0PR11MB7958EF20775CAE89FD580EDAF8462%40DS0PR11MB7958.namprd11.prod.outlook.com.

[Paul van Brouwershaven]

In that case you could create a transport_maps to skip SES and deliver directly to smtp.google.com:

transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport

cabforum.org smtp:[smtp.google.com]:587

groups.cabforum.org smtp:[smtp.google.com]:587

---

From: 'Martijn Katerbarg' via Infrastructure (CA/B Forum)

Sent: Wednesday, October 16, 2024 13:19
To: infrast...@groups.cabforum.org
Subject: [EXTERNAL] [Infrastructure] Re: Migration of Questions mailing list

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/SA1PR17MB650315E47C56DE749C2CA1B8E3462%40SA1PR17MB6503.namprd17.prod.outlook.com.

[Martijn Katerbarg]

That still doesn’t tackle the google part of it. They won’t accept it as such, and will rewrite

 

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/DS0PR11MB79585C58E43CA8939C2A0963F8462%40DS0PR11MB7958.namprd11.prod.outlook.com.

[Roman Fischer]

Hi Martjin,

 

I don't understand the point " this could allow a CA to circumvent a requirement", can you elaborate?

 

Thx
Roman

 

From: 'Martijn Katerbarg' via Infrastructure (CA/B Forum) <infrast...@groups.cabforum.org>

Sent: Dienstag, 15. Oktober 2024 16:50
To: infrast...@groups.cabforum.org

--

[Martijn Katerbarg]

Hi Roman,

 

The TLS BRs have as requirement:
The CA MUST also (prior to issuing a certificate under the modified requirement) notify the CA/Browser Forum of the relevant information newly added to its CPS by sending a message to ques...@cabforum.org and receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at https://cabforum.org/pipermail/public/ (or such other email addresses and links as the Forum may designate), so that the CA/Browser Forum may consider possible revisions to these Requirements accordingly.

 

If the email address isn’t in use, doing that won’t help much and would technically allow a CA to bypass it. However, it’s a requirement that I don’t think has been used in a long time, hence why I think option 2 is the best option. Yet I want to give people to opportunity to not go down that route if they believe we shouldn’t.

 

Regards,

Martijn

 

From: Roman Fischer <roman....@swisssign.com>

Date: Wednesday, 16 October 2024 at 14:48
To: infrast...@groups.cabforum.org <infrast...@groups.cabforum.org>

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/ZR0P278MB0170DAA6B18305232FA94EF2FA462%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.

[Ben Wilson]

I'm fine with any of the proposals/approaches.

Ben

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/SA1PR17MB6503A6CD139F22992B603C91E3462%40SA1PR17MB6503.namprd17.prod.outlook.com.

[Dimitris Zacharopoulos (HARICA)]

I'd still prefer a workable solution for #1. Otherwise, the safest approach would be to wait for clean-up ballots to change the TLS, Code Signing and S/MIME BRs with a new email address for the questions list.

IMO option #2 needs discussion in each WG that references the ques...@cabforum.org email in their BRs. If no objections or concerns are raised about the #2 proposal, then we can proceed with its implementation.

Thoughts?

Dimitris.

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/CA%2B1gtaYcMKb1E4WyHPdSpEhPMvmLyckxy-MFWd5HxWG6Bu4uGw%40mail.gmail.com.

[Roman Fischer]

Given that https://cabforum.org/pipermail/public/ gives a 404… 😉 I'd vote for option 2 and a clean-up ballot to fix the TLS BR "after the fact".

 

-Roman

To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/infrastructure/SA1PR17MB6503A6CD139F22992B603C91E3462%40SA1PR17MB6503.namprd17.prod.outlook.com.