IETF Logo Mail Archive

Re: [dane] DANE and STARTTLS - indication of availability of encryption

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 06 September 2013 18:36 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B040D11E81AB for <dane@ietfa.amsl.com>; Fri, 6 Sep 2013 11:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.409
X-Spam-Level:
X-Spam-Status: No, score=-2.409 tagged_above=-999 required=5 tests=[AWL=0.190, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bD7ZKLlF4q1e for <dane@ietfa.amsl.com>; Fri, 6 Sep 2013 11:36:44 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 71AFD11E81A9 for <dane@ietf.org>; Fri, 6 Sep 2013 11:36:44 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id CA1CC2AB081; Fri, 6 Sep 2013 18:36:41 +0000 (UTC)
Date: Fri, 06 Sep 2013 18:36:41 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130906183641.GA29796@mournblade.imrryr.org>
References: <20130904144549.GA29796@mournblade.imrryr.org> <m3bo48885q.fsf@carbon.jhcloos.org> <20130905010924.GM29796@mournblade.imrryr.org> <CAF4kx8fq2oxNK2MiCCrNJUn-Qog+TXrHZ+ohj-vKFxpi+5PPEw@mail.gmail.com> <20130905212933.GI61351@mx1.yitter.info> <CAF4kx8etOjE8y4B9dq1dm6_5_8TOYHnp4v1r0bfT1SOr5im0mw@mail.gmail.com> <m3d2om5bt2.fsf@carbon.jhcloos.org> <20130906155016.GY29796@mournblade.imrryr.org> <CAF4kx8cHKj24Wwf=4-OECY+rRLsoW2_8V_q+gY2-KmpMOnFg7Q@mail.gmail.com> <20130906173919.GZ29796@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20130906173919.GZ29796@mournblade.imrryr.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] DANE and STARTTLS - indication of availability of encryption
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2013 18:36:49 -0000

On Fri, Sep 06, 2013 at 05:39:19PM +0000, Viktor Dukhovni wrote:

> In the mean time Google can easily add client-side DANE TLSA support,
> this just requires a DNSSEC aware resolver.

Plus of course very carefully written DANE-aware peer-chain
verification code in the SMTP client.  Some implementations
forget to properly check the validity of usage "2" chains
(that each element is unexpired, signed by its parent, ...).

-- 
	Viktor.

v2.30.2 | Report a Bug | By Email | System Status