Re: IETF mail server and SSLv3
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 03 March 2016 18:47 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 399D01B3180 for <ietf@ietfa.amsl.com>; Thu, 3 Mar 2016 10:47:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMzLbap_Dg4A for <ietf@ietfa.amsl.com>; Thu, 3 Mar 2016 10:47:13 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F39B1B3BB9 for <ietf@ietf.org>; Thu, 3 Mar 2016 10:47:13 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 13FF3284CDB; Thu, 3 Mar 2016 18:47:12 +0000 (UTC)
Date: Thu, 03 Mar 2016 18:47:12 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: IETF mail server and SSLv3
Message-ID: <20160303184711.GH10917@mournblade.imrryr.org>
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org> <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com> <m237s8ax5m.wl%randy@psg.com> <258C9930-4852-4A84-AB7D-F843D0E04C28@dukhovni.org> <56D819FD.2080205@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <56D819FD.2080205@cs.tcd.ie>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/aJI9ANFm2QMV8A9zDs36HYP-TJI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2016 18:47:15 -0000
On Thu, Mar 03, 2016 at 11:03:25AM +0000, Stephen Farrell wrote: > > The way I see it for opportunistic TLS in general, and Postfix specifically, > > is that the sensible approach is to prune the deadwood once it is no longer > > useful for interoperability except with a theoretical, but in practice negligible > > to non-existent minority of peers. That is, once removing obsolete > > and week crypto has no practical negative consequences, we should just do it. > > This was something we debated during the processing of > RFC7435. I do think the OS approach is a fine thing, but > I'd be much more for ditching weak crypto than you. We're not in significant disagreement. I'm not advocating keeping weak crypto around, in fact the opposite. Rather I drawing advocating some attention to balancing interoperability needs in the timing of the removal. For opportunistic security, breaking interoperability *in practice* (not just in theory) is to be avoided in the early phase of deprecation when better alternatives are not sufficiently widely deployed. If or once better alternatives are almost universally deployed, out it goes. -- Viktor.
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 John Levine
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- IETF mail server and SSLv3 IETF Chair
- Re: IETF mail server and SSLv3 tom p.
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Derek Atkins
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Russ Housley
- Re: IETF mail server and SSLv3 Randy Bush
- Re: IETF mail server and SSLv3 Stephen Farrell
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Doug Barton
- RE: IETF mail server and SSLv3 Christian Huitema