Re: IETF mail server and SSLv3

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 03 March 2016 07:11 UTC

Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Subject: Re: IETF mail server and SSLv3
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <m237s8ax5m.wl%randy@psg.com>
Date: Thu, 03 Mar 2016 02:11:46 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <258C9930-4852-4A84-AB7D-F843D0E04C28@dukhovni.org>
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org> <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com> <m237s8ax5m.wl%randy@psg.com>
To: ietf@ietf.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/bPb8Gc-YXlpLFqrnRjVUhob7utk>
Precedence: list
Reply-To: ietf@ietf.org

> On Mar 3, 2016, at 1:33 AM, Randy Bush <randy@psg.com> wrote:
> 
> i expect that, at least for the rest of my career, there will always be
> stronger and weaker crypto.  and we will repeatedly go through the pain
> of purging the [then] weak, with folk screaming about compatibility with
> doors 2005.

The way I see it for opportunistic TLS in general, and Postfix specifically,
is that the sensible approach is to prune the deadwood once it is no longer
useful for interoperability except with a theoretical, but in practice negligible
to non-existent minority of peers.  That is, once removing obsolete 
and week crypto has no practical negative consequences, we should just do it.

What makes this possible is widespread adoption of better alternatives, at
which point algorithm agility (often derided in some circles) makes it
possible to move on.

At this point SSLv2, SSLv3, EXPORT ciphers and single DES are disabled in
Postfix by default.  It is sensible for ietf.org to apply similar settings.

-- 
	Viktor.

Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 John Levine
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
IETF mail server and SSLv3 IETF Chair
Re: IETF mail server and SSLv3 tom p.
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Derek Atkins
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Russ Housley
Re: IETF mail server and SSLv3 Randy Bush
Re: IETF mail server and SSLv3 Stephen Farrell
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Doug Barton
RE: IETF mail server and SSLv3 Christian Huitema