IETF Logo Mail Archive

Re: [saag] Is opportunistic unauthenticated encryption a waste of time?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 23 August 2014 21:06 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 266F81A0B7E; Sat, 23 Aug 2014 14:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNt6a7lj8ciF; Sat, 23 Aug 2014 14:05:58 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DB0F1A0B7F; Sat, 23 Aug 2014 14:05:58 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8D3B02AB2C2; Sat, 23 Aug 2014 21:05:50 +0000 (UTC)
Date: Sat, 23 Aug 2014 21:05:50 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Is opportunistic unauthenticated encryption a waste of time?
Message-ID: <20140823210550.GP14392@mournblade.imrryr.org>
References: <CAMm+LwhmJpnU8E9ifA47baneGB=qjHzU_cy+wepPYLXrOhB+Pg@mail.gmail.com> <20140821160402.GT14392@mournblade.imrryr.org> <f5d8b5dc37b84f709c8f2df7c7a69daf@AMSPR06MB439.eurprd06.prod.outlook.com> <CAK3OfOgZzoXVnrE8Nbs6mwN2xD_snbzH9jT8TsYOVt8UASahYQ@mail.gmail.com> <a354d63505924d76a15b505e60e27a16@AMSPR06MB439.eurprd06.prod.outlook.com> <20140822140000.GE14392@mournblade.imrryr.org> <BLU181-W84354FE6BEF12305A2A7DB93D10@phx.gbl> <20140823040550.GQ5909@localhost> <BLU181-W307B52819C577693183E2D93D10@phx.gbl> <53F8FA97.2020607@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <53F8FA97.2020607@cs.tcd.ie>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/S941nl1P4F5qjYCpL6ZDfUkB_7g
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org, ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Aug 2014 21:06:00 -0000

On Sat, Aug 23, 2014 at 09:33:27PM +0100, Stephen Farrell wrote:

> However, say we're wrong and someone who thinks OS is a waste
> of time is actually correct, what would such a person recommend
> that we do as well as, or instead of, OS?

For the record I started work on "opportunistic DANE TLS", in March
2013, well before PM became a major concern.  It was designed as
a way to scalably enable authentication in SMTP, by making that
opportunistic (enabled peer by peer as DANE TLSA RRs are deployed).

So I see OS as a strategy to incrementally broaden both the use of
encryption AND the use of authentication.

Whether protocols other than MTA-to-MTA SMTP can implement OS *with*
authentication remains to be seen.  I hope that will prove possible
over time.  For mobile device applications, we may have to wait
for the DNSSEC "last mile problem" to be largely addressed before
significant progress in that direction can be made.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email