Re: IETF mail server and SSLv3
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 03 March 2016 11:03 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821001A8A7F for <ietf@ietfa.amsl.com>; Thu, 3 Mar 2016 03:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.307
X-Spam-Level:
X-Spam-Status: No, score=-4.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V0ulKpkGfbqE for <ietf@ietfa.amsl.com>; Thu, 3 Mar 2016 03:03:27 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C3191A8A63 for <ietf@ietf.org>; Thu, 3 Mar 2016 03:03:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 9FCB5BE8A for <ietf@ietf.org>; Thu, 3 Mar 2016 11:03:25 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPqTGr0NKZ65 for <ietf@ietf.org>; Thu, 3 Mar 2016 11:03:25 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 18E43BE5C for <ietf@ietf.org>; Thu, 3 Mar 2016 11:03:25 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1457003005; bh=r+wYyk1jxKcLC3QI+rVmcbQLsCk0YMVk7lto/aJjpZs=; h=Subject:To:References:From:Date:In-Reply-To:From; b=VIMQku4SvhkEGVn0hznkQ9XjZeEAYYstFFoGEEaCjIZ45bBkHBpySsddOZP5uNEGg C+CX5tRE1x7RPylxy28RVZTtC34XOWEQ/2NOgYbVTVRx5KgddN9Wb2KKPAk/2/WBcx n1G45TXQQcTAG3hzYbMfwyVO1X3qMAoGrddjdu9I=
Subject: Re: IETF mail server and SSLv3
To: ietf@ietf.org
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org> <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com> <m237s8ax5m.wl%randy@psg.com> <258C9930-4852-4A84-AB7D-F843D0E04C28@dukhovni.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56D819FD.2080205@cs.tcd.ie>
Date: Thu, 03 Mar 2016 11:03:25 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <258C9930-4852-4A84-AB7D-F843D0E04C28@dukhovni.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060209050509040908020105"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/hkYgwtVBf6hhmNJMdnIAgmlXJs8>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2016 11:03:29 -0000
On 03/03/16 07:11, Viktor Dukhovni wrote: > The way I see it for opportunistic TLS in general, and Postfix specifically, > is that the sensible approach is to prune the deadwood once it is no longer > useful for interoperability except with a theoretical, but in practice negligible > to non-existent minority of peers. That is, once removing obsolete > and week crypto has no practical negative consequences, we should just do it. This was something we debated during the processing of RFC7435. I do think the OS approach is a fine thing, but I'd be much more for ditching weak crypto than you. DROWN, LOGJAM and other attacks demonstrate that keeping weak crypto code around does have negative consequences, and with DROWN those are pretty impressively negative. Cheers, S.
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 John Levine
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- IETF mail server and SSLv3 IETF Chair
- Re: IETF mail server and SSLv3 tom p.
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Derek Atkins
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Russ Housley
- Re: IETF mail server and SSLv3 Randy Bush
- Re: IETF mail server and SSLv3 Stephen Farrell
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Doug Barton
- RE: IETF mail server and SSLv3 Christian Huitema