Re: [Endymail] Hashes of key as addresses
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 05 September 2014 22:10 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 579F61A0392
for <endymail@ietfa.amsl.com>; Fri, 5 Sep 2014 15:10:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pV2vvbdwyqdS for <endymail@ietfa.amsl.com>;
Fri, 5 Sep 2014 15:10:14 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19])
(using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 7CA101A0393
for <endymail@ietf.org>; Fri, 5 Sep 2014 15:10:13 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034)
id 38F082AB2C0; Fri, 5 Sep 2014 22:10:12 +0000 (UTC)
Date: Fri, 5 Sep 2014 22:10:12 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: endymail <endymail@ietf.org>
Message-ID: <20140905221012.GC26920@mournblade.imrryr.org>
References: <CAMm+LwimhUi5uZAgm9erYtMJ9-o6+x__344TwKH4-Pa_-mckfg@mail.gmail.com>
<20140829091133.GA25723@yeono.kjorling.se>
<CAMm+LwhSYm7e4WevDKqewGuOk=O_Zd7dKa1ctfvBzyF3jz4jtg@mail.gmail.com>
<20140904132955.GN603@yeono.kjorling.se>
<20140905192712.XG2Xmr5N%sdaoden@yandex.com>
<20140905212537.GY26920@mournblade.imrryr.org>
<CAMm+LwgF825P+k9tNoaaw5YY+_dkGZBgOAcx9KF=f23ouCJLZQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAMm+LwgF825P+k9tNoaaw5YY+_dkGZBgOAcx9KF=f23ouCJLZQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/mJ1kAdKbf38sLpE0VbecGWpc6xY
Subject: Re: [Endymail] Hashes of key as addresses
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: endymail <endymail@ietf.org>
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>,
<mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>,
<mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 22:10:16 -0000
On Fri, Sep 05, 2014 at 05:59:12PM -0400, Phillip Hallam-Baker wrote: > > SMTP is not that latency sensitive. Because SMTP starts in cleartext, > > servers can and do refuse to STARTTLS with clients they are going > > to reject due to poor IP reputation. > > > > There are other advantages. For example, the server learns the > > client's EHLO name before TLS, allowing it to base TLS policy (like > > requests for the client certificate) on the the client's EHLO name. > > And of course clients that fail to interoperably negotiate TLS can > > fall back to cleartext. > > > > All told, STARTTLS is a good fit for SMTP, which unlike HTTP is > > not nearly as sensitive to latency. > > Very good points and points that designers of DNS privacy approaches > would do to bear in mind. Any protocol that has a server performing a > public key transaction without any form of authentication on the > request is going to end up being killed by DoS. Postfix can also rate limit run-away clients that rapidly create uncached sessions, rather than reuse established sessions. This behaviour can be "stress-dependent", when the service process limit has recently been reached. While not widely deployed by default, such counter-measures are good to have up one's sleeve. > So the trick is to pull the authentication out of the DNS query loop > so it can be amortized. Similiar ammortization ideas in DJB's MinimaLT, suggestions for short-term re-use of ECDH exponents with 25519, ... Also in much more mundane process-reuse in Postfix, where each service handles 100 or so requests by default before exiting, ammortizing start-up cost. -- Viktor.
- [Endymail] Hashes of key as addresses Phillip Hallam-Baker
- Re: [Endymail] Hashes of key as addresses Leo Vegoda
- Re: [Endymail] Hashes of key as addresses Phillip Hallam-Baker
- Re: [Endymail] Hashes of key as addresses Michael Kjörling
- Re: [Endymail] Hashes of key as addresses Phillip Hallam-Baker
- Re: [Endymail] Hashes of key as addresses Michael Kjörling
- Re: [Endymail] Hashes of key as addresses Stephen Farrell
- Re: [Endymail] Hashes of key as addresses Phillip Hallam-Baker
- Re: [Endymail] Hashes of key as addresses Steffen Nurpmeso
- Re: [Endymail] Hashes of key as addresses Arnt Gulbrandsen
- Re: [Endymail] Hashes of key as addresses Viktor Dukhovni
- Re: [Endymail] Hashes of key as addresses Phillip Hallam-Baker
- Re: [Endymail] Hashes of key as addresses Viktor Dukhovni