TLS on disconnected/intermittently connected networks (was: Re: What ASN.1 got right)

Keith Moore <> Thu, 04 March 2021 18:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 519D33A1429 for <>; Thu, 4 Mar 2021 10:44:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wd7rNmY5qkUD for <>; Thu, 4 Mar 2021 10:44:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 25F3F3A1427 for <>; Thu, 4 Mar 2021 10:44:21 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 6380F5C00D2 for <>; Thu, 4 Mar 2021 13:44:20 -0500 (EST)
Received: from mailfrontend2 ([]) by compute4.internal (MEProxy); Thu, 04 Mar 2021 13:44:20 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=7JeVZp4u2oNnFjPOkcUD82YqSxTxi44zgJ1i7cJba 9g=; b=gYj3y1vrqwe/Vr7dROZl/pLLHvGqhhe3UZSTWoJFrnE/qiLLHFVWPnrYq AVt8E3EQACTiCwXcwUau8CVKSjcLtriphd+HLWhQMzs2NsXGFgmdZC/SJR+uSTTa dyNAZhululCbImu4nUriWyhI6u76foV15WH1L43qF9EcsoYMJJ9T9IiuIGPQ6ETP y3B/X01fQrmK68LvTYZAAoo1siaeS7Z3+iDBEny6nZt6k0t2bVwygXIWLcRLJ8Zv p/XbfWaTxZTwtdBLkCFDt985jHtKC//cndISt847bXN4dmtaN8qYBymyn/DRAMZl NwgrLMI/o9j0EGD+1q+hPPxTa4Yfg==
X-ME-Sender: <xms:gypBYHKIs5vbWSORA-W3SvKciyS3UV_atz4R4LaGKVt4M2r8e72vKA> <xme:gypBYNLvQbnqNo-AlBq16OxtRPuTm5_xXmPonlnYLKg_ZUHBltHjt6z9psr6Stj0y FUdaI5of22nfA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddtgedguddtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesth ekredttdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvght fihorhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhephefhuedthe efgfefgffhkeehgfeugfeiudeugeejkeefleelueeiffetfeeuudeunecukfhppedutdek rddvvddurddukedtrdduheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:gypBYJFJl7huqm2f4mIYpjW-too8Zr2niVOJldswI_kLCb5OJyysuA> <xmx:gypBYCmOU7U8Aa44bzI4c58LtjMvo1j9fFINUifYA4aOKSreg7uaqQ> <xmx:gypBYGJKw6PULGekMC7ZdGn5Q1bcrY2fJCm3l8CL4Fx26VYU4KpqOg> <xmx:hCpBYDluLHlPXcimhfRHA_lqLWvDkMY2EMy930ORfjIrlZMRWk043Q>
Received: from [] ( []) by (Postfix) with ESMTPA id 10F771080057 for <>; Thu, 4 Mar 2021 13:44:19 -0500 (EST)
Subject: TLS on disconnected/intermittently connected networks (was: Re: What ASN.1 got right)
References: <20210302010731.GL30153@localhost> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Thu, 4 Mar 2021 13:44:18 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 18:44:22 -0000

On 3/4/21 9:57 AM, Phillip Hallam-Baker wrote:

> It is really rare that people try to use TLS without Internet 
> connectivity.

That might be due in part to the association, in practice, of TLS with 
verification of DNS names in server certificates.

There are lots of applications (including but not limited to ordinary 
web browsers and servers) running on disconnected and 
intermittently-connected networks out there that need encryption, and 
which can't practically use TLS, because they don't use DNS or even host 
files.   But it's not a limitation of the TLS protocol so much as of the 
APIs and the code that does certificate verification.