Re: [dane] Need better opportunistic terminology
Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 07 March 2014 10:20 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4DF51A0159; Fri, 7 Mar 2014 02:20:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5PFCN6K_gDyQ; Fri, 7 Mar 2014 02:20:33 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id C00571A012B; Fri, 7 Mar 2014 02:20:32 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3E8D12AB24B; Fri, 7 Mar 2014 10:20:27 +0000 (UTC)
Date: Fri, 07 Mar 2014 10:20:27 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <20140307102027.GJ21390@mournblade.imrryr.org>
References: <CAMm+LwjF9To+w3K4RR=72BbLNE2hJa9CibWOEARYmODiuFNu9g@mail.gmail.com> <20140307004432.GH21390@mournblade.imrryr.org> <13236.1394184906@sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <13236.1394184906@sandelman.ca>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/6m6baSt_UJDldM7Jcp9ICmrjC_w
Cc: saag@ietf.org, dane@ietf.org
Subject: Re: [dane] Need better opportunistic terminology
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 10:20:36 -0000
On Fri, Mar 07, 2014 at 04:35:06AM -0500, Michael Richardson wrote: > > Thus, until the happy future when a significant fraction of domains are > > DNSSEC signed, and their MX hosts are accompanied by DNSSEC-validated > > "secure" TLSA records, in practice the protocol is essentially the same > > as with (pre-DANE) opportunistic TLS. The client employs the best > > security level available (including cleartext). > > And, in particular, I think that "opportunistics TLS" interoperates with > "opportunistics DANE TLS". The two sides don't have to have to known each > other's policies. Yes. This is quite common. Servers generally don't know how and whether clients perform TLS authentication. The best they can hope for is that clients find their certificates useful. I should however note that opportunistic DANE TLS sends SNI when the server has TLSA records. We don't yet know whether there are MTA implementations which would fail to complete the TLS handshake when they don't have a certificate with an exactly matching name. The draft requires servers to continue with a suitable default certificate if no SNI match is found. Since the draft precedes any significant deployment of SMTP servers with TLSA records, one can hope that server operators will not publish TLSA records if their server is "allergic" to "opportunistic" DANE TLSA clients (really SNI hints that turn out to not match any certificate configured on the server). Thus far no such servers have been observed, but the number of deployed clients and servers is still quite small. I am not aware of any MTAs that support server-side SNI, but this could be mere ignorance. If some do, those might be the ones that get unhappy with unexpected SNI signals from clients. Servers that have completely ignored SNI to date (e.g. Postfix) will continue to do so. Any suggestions for a better name for this mode of operation? -- Viktor.
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- [dane] Need better opportunistic terminology Phillip Hallam-Baker
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- Re: [dane] Need better opportunistic terminology Michael Richardson
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Peter Palfrader
- Re: [dane] [saag] Need better opportunistic termi… Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Paul Lambert
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] Need better opportunistic terminology Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Nico Williams
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Viktor Dukhovni
- Re: [dane] [saag] Need better opportunistic termi… Phillip Hallam-Baker
- Re: [dane] [saag] Need better opportunistic termi… Derek Atkins
- Re: [dane] [saag] Need better opportunistic termi… Paul Lambert
- Re: [dane] [saag] Need better opportunistic termi… Derek Atkins
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Nico Williams
- Re: [dane] [saag] Need better opportunistic termi… Olle E. Johansson
- Re: [dane] [saag] Need better opportunistic termi… Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch