[dane] Lukewarm discussion: DANE for opportunistic TLS protocols
Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 14 February 2014 20:00 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 217461A0361 for <dane@ietfa.amsl.com>; Fri, 14 Feb 2014 12:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFGCf6flNUtc for <dane@ietfa.amsl.com>; Fri, 14 Feb 2014 12:00:05 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 45FC21A0323 for <dane@ietf.org>; Fri, 14 Feb 2014 12:00:04 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id BB35D2AAD11; Fri, 14 Feb 2014 20:00:02 +0000 (UTC)
Date: Fri, 14 Feb 2014 20:00:02 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140214200002.GK278@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/d1ICZx_epgppr72Udfxv47DT6vA
Subject: [dane] Lukewarm discussion: DANE for opportunistic TLS protocols
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 20:00:08 -0000
Paul Hoffman (thanks) points out that there may be prior consensus with respect to the applicability of DANE TLSA to "discovery" of TLS enabled services. I was not party to the original discussion of this topic, my apologies if I am about to repeat previously discussed ideas. The SMTP draft defines an opportunistically secure protocol. For inter-domain email on Internet scale, no domain has prior knowledge of the set of peer domains (more specifically their MX hosts) that support TLS. Today's MTA employ TLS opportunistically, based on the offer of the "STARTTLS" SMTP extension in the SMTP server's EHLO response. This offers no protection against MITM attacks (or even transient errors, as many SMTP clients will retry in cleartext after TLS transmission fails). The DANE SMTP draft aims to provide a downgrade-resistant protocol by which SMTP clients can determine (discover if you will) that a given SMTP server support TLS and expects DANE SMTP clients to avoid using cleartext delivery with the server. The associated TLSA records are used to authenticate the server to mitigate MITM attacks that terminate TLS (rather simply suppress it). If determining whether TLS support is required is incompatible with DANE, I see no purpose for the SMTP draft. We already unauthenticated opportunistic TLS for SMTP (STARTTLS) which is vulnerable to various downgrade attacks. Without a secure signal to do TLS, the downgrade attacks remain, and opportunistic TLS does not benefit from DANE. So I hope the group can reach consensus that it is OK to use TLSA records to discover a requirement for TLS. This approach is not new with the SMTP draft, it dates back to the original SRV draft from Tony Finch, and is still stated in the revived version of that document. -- Viktor.
- [dane] Lukewarm discussion: DANE for opportunisti… Viktor Dukhovni
- Re: [dane] Lukewarm discussion: DANE for opportun… James Cloos
- Re: [dane] Lukewarm discussion: DANE for opportun… Peter Saint-Andre
- Re: [dane] Lukewarm discussion: DANE for opportun… Paul Hoffman
- Re: [dane] Lukewarm discussion: DANE for opportun… Viktor Dukhovni
- Re: [dane] Lukewarm discussion: DANE for opportun… James Cloos
- Re: [dane] Lukewarm discussion: DANE for opportun… Warren Kumari
- Re: [dane] Lukewarm discussion: DANE for opportun… Viktor Dukhovni
- Re: [dane] Lukewarm discussion: DANE for opportun… Viktor Dukhovni
- Re: [dane] Lukewarm discussion: DANE for opportun… Phillip Hallam-Baker
- Re: [dane] Lukewarm discussion: DANE for opportun… Jelte Jansen
- Re: [dane] Lukewarm discussion: DANE for opportun… Nicholas Weaver
- Re: [dane] Lukewarm discussion: DANE for opportun… Paul Wouters
- Re: [dane] Lukewarm discussion: DANE for opportun… Nicholas Weaver
- Re: [dane] Lukewarm discussion: DANE for opportun… Viktor Dukhovni