IETF Logo Mail Archive

Re: IETF mail server and SSLv3

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 03 March 2016 13:33 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B51911ACD68 for <ietf@ietfa.amsl.com>; Thu, 3 Mar 2016 05:33:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmIo1lCWZLu0 for <ietf@ietfa.amsl.com>; Thu, 3 Mar 2016 05:33:02 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD88A1ACD44 for <ietf@ietf.org>; Thu, 3 Mar 2016 05:33:01 -0800 (PST)
Received: by mail-lb0-x230.google.com with SMTP id cf7so7105095lbb.1 for <ietf@ietf.org>; Thu, 03 Mar 2016 05:33:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=8ULGepiO+GojowOqTLL1OBJnx8jTRwx/fmmtEXLEEkE=; b=SZIiIPI/N3KRyX/UP2D5TbCEP4C39v5Ijrr8jgXfVEUYq+wFBZbAgv7sV4Ir9xFsdC 8CU+aQ7mRskjf5Xm5x6sDUVE78nq4+Cyb+oSNRrCHBnBkWyWC2iwVeYxt7lQfeaw1fma RNLIvbS+xl9gAPr/2phAWJGFO36t1Bsryu+vqlXm6ac2MxrptYRDIANfkp6ZqmtReLH8 L+G0l0PM3eAk3hFIc7y03V0RHe3KTa6/dpiNL/J8zHKNwkoOCrCMIV5uD/N/78SMCnrQ LCoib7vi0rS1Py1NqA7lSGBaelq/dnFWO8uFH1UAQb6XCa3tpaMEhVaYovZwOVF+DP+p WO4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=8ULGepiO+GojowOqTLL1OBJnx8jTRwx/fmmtEXLEEkE=; b=HtNFPoV/62rnDSgxEdVz8CWgC4R9PFHUdAWcoJltGkBNfTzEy/vr5j5RtKwGYtYYOZ v5bsB3Mx0KAMn3r2b91Z7BPn5zAtuT+Wj/ugHL2YDukSSoNsnJKwreH38jKnV0a/n8se LRbA7vmuSPJ/YjuePlkBipEi8RfoJM9pYQ3MuhFg5l0s2MeBAZmfyXBKyDuALVduEjkC o0OFAX2f9KauALpFAzKRLSTNq5niHM5OuWdtmCNqqnbch8c+6bslC+Nljt+AZQgxZIo5 eQKBGgo7VCOySXStOGFYEMHBk+HsKrg+govuhER42z/n746NblYU6FdusWUeAfOoff2E wE3g==
X-Gm-Message-State: AD7BkJLo//UXrfqi1GoJNDCO3JhIeo2U2QEWcKiVkxb8IoxNpY8mlEbWkRhhM67l1azcVlICk6ajf+AXSgXTAw==
MIME-Version: 1.0
X-Received: by 10.25.213.196 with SMTP id m187mr1055506lfg.67.1457011980003; Thu, 03 Mar 2016 05:33:00 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.151.67 with HTTP; Thu, 3 Mar 2016 05:32:59 -0800 (PST)
In-Reply-To: <56D819FD.2080205@cs.tcd.ie>
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org> <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com> <m237s8ax5m.wl%randy@psg.com> <258C9930-4852-4A84-AB7D-F843D0E04C28@dukhovni.org> <56D819FD.2080205@cs.tcd.ie>
Date: Thu, 03 Mar 2016 08:32:59 -0500
X-Google-Sender-Auth: lqXvYZ6qtaDAbz-sC26FHJdjjrg
Message-ID: <CAMm+LwhKi9nmfoRcoxh05=N6d0DKGvO+zDPvbrrXaMoCm=bdkA@mail.gmail.com>
Subject: Re: IETF mail server and SSLv3
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/2IaN_lZv-p4-0VD4zS97Xlb5PCs>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2016 13:33:03 -0000

On Thu, Mar 3, 2016 at 6:03 AM, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
>
> On 03/03/16 07:11, Viktor Dukhovni wrote:
>
>> The way I see it for opportunistic TLS in general, and Postfix specifically,
>> is that the sensible approach is to prune the deadwood once it is no longer
>> useful for interoperability except with a theoretical, but in practice negligible
>> to non-existent minority of peers.  That is, once removing obsolete
>> and week crypto has no practical negative consequences, we should just do it.
>
> This was something we debated during the processing of
> RFC7435. I do think the OS approach is a fine thing, but
> I'd be much more for ditching weak crypto than you.
>
> DROWN, LOGJAM and other attacks demonstrate that keeping
> weak crypto code around does have negative consequences,
> and with DROWN those are pretty impressively negative.

This is also an argument for multi-layer security.

Transport Layer Security isn't a panacea, it has limitations. Back in
1995 we had to choose the one place we applied encryption because
machines were slow. Today we can and should have multi-level security.

We need message layer security in addition to transport. And we need
an infrastructure for deploying client side key material.

v2.23.0 | Report a Bug | By Email