Re: TLS on disconnected/intermittently connected networks

Keith Moore <> Thu, 04 March 2021 19:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 574113A1572 for <>; Thu, 4 Mar 2021 11:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9FnGQIlqiigC for <>; Thu, 4 Mar 2021 11:59:49 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 04AFD3A156C for <>; Thu, 4 Mar 2021 11:59:49 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 567E75C00F3 for <>; Thu, 4 Mar 2021 14:59:48 -0500 (EST)
Received: from mailfrontend2 ([]) by compute3.internal (MEProxy); Thu, 04 Mar 2021 14:59:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=POFus0 1MBcUhq5GltUwMvGKlaGVYXqKATOtYWRCNKO4=; b=w1u6i+WP+t29323R1pNYax xg8T+Fu/gYOUt3CzJAKiTztFynxyk6eF4TSLhqqfUjMiuctSX+VMauJAWMCqQP5f ctWS4rmdfTcCCaz2wDl20I6CgyAoWdTvVouwqp6RkPV00Xv8nkBuoosC2DcuHInJ 6MWO/qTIqwdzDUm0XLabZd04f9UyYdxx81pKsVG+33cx944felHVJmZsVtz+qSF/ Xx15HMrfkXvemqYZ6WDzsLWbC2r1H+MomzQrOx7OT5s+S9Nlre8m9tVagdGHdQH3 +s1qogiFJKyjhigfxtL7zmGqHGlWS/61/TXwrdlVXceAj3t24yjJ3QQeaNhRvk/w ==
X-ME-Sender: <xms:NDxBYAFpS_a0BmXd2F1Wm6R3fXq98CkrxY-Aa9cBMNwz1RwVxndHAw> <xme:NDxBYJW3VJHQ9bsQwkH_RzqHQW1jSH5g_ZNzZrFXvRdV1rq4sCExU1MvpvLpXDeuh wOoY4agMNm2Zg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddtgedguddvfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtd erredtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeevfeetudeige dtledvvddtudefjeejffdvfeetjeeiueelgfdtgfegtdffkeetudenucfkphepuddtkedr vddvuddrudektddrudehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:NDxBYKJgvmhw7vBfFdfAkh6B2pC7Ysww3PulDaSCkujnBD5LNik0ag> <xmx:NDxBYCEdHHpEqLOzTA8zdJpR63KN79W0gL7WbaNyJbCYRB_uGA0OdQ> <xmx:NDxBYGXR0_StNThi803-UPbjbz94hkDZy_NLyfLvYz9jd0kdvcZl-Q> <xmx:NDxBYPXYhe7_Ce_TbSzliHwlPRRJuo2pwQ2a5v5mRfqCA9TZV9IEWQ>
Received: from [] ( []) by (Postfix) with ESMTPA id F100C1080054 for <>; Thu, 4 Mar 2021 14:59:47 -0500 (EST)
Subject: Re: TLS on disconnected/intermittently connected networks
References: <20210302010731.GL30153@localhost> <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Thu, 4 Mar 2021 14:59:47 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------FD2B4C0B359825D6D9574597"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 19:59:50 -0000

On 3/4/21 2:46 PM, Viktor Dukhovni wrote:

>> On Mar 4, 2021, at 4:44 PM, Keith Moore<>  wrote:
>> There are lots of applications (including but not limited to ordinary web browsers and servers) running on disconnected and intermittently-connected networks out there that need encryption, and which can't practically use TLS, because they don't use DNS or even host files.   But it's not a limitation of the TLS protocol so much as of the APIs and the code that does certificate verification.
> TLS without DNS name checks and/or without any hierarchical PKI
> is directly supported by OpenSSL.

Yes I know.  But people need web browsers that can do this.  And there's 
still a need to thwart active attacks in such environments.

IOW it's not only TLS and X.509 that are needed, but a stack (including 
browser) that can use these without needing DNS or external connectivity.