IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

Lars Eggert <lars@eggert.org> Tue, 26 March 2019 16:37 UTC

Return-Path: <lars@eggert.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896241205F4 for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 09:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KgOkc0CH4stf for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 09:37:31 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7701205EA for <nfsv4@ietf.org>; Tue, 26 Mar 2019 09:37:20 -0700 (PDT)
Received: from eggert.org (unknown [62.248.255.8]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id 48350200A2; Tue, 26 Mar 2019 18:37:19 +0200 (EET)
Received: from dhcp-80d7.meeting.ietf.org (dhcp-80d7.meeting.ietf.org [31.133.128.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by eggert.org (Postfix) with ESMTPSA id 5377C8885B1; Tue, 26 Mar 2019 18:35:30 +0200 (EET)
From: Lars Eggert <lars@eggert.org>
Message-Id: <0E00BED9-74D4-4594-A7AC-FCD624461DD7@eggert.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_F6214349-EC29-49B0-B544-650CD7B033AA"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Tue, 26 Mar 2019 17:35:27 +0100
In-Reply-To: <3705AA25-10DF-43BF-BE1D-B0BE27F705DE@eggert.org>
Cc: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>, NFSv4 <nfsv4@ietf.org>
To: Olga Kornievskaia <aglo@umich.edu>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com> <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de> <CAN-5tyGggDUe2DNSjRc6vAyXgGo4LVwYVK5zmTOyr0soPFVKrQ@mail.gmail.com> <3705AA25-10DF-43BF-BE1D-B0BE27F705DE@eggert.org>
X-MailScanner-ID: 5377C8885B1.A27B2
X-MailScanner: Found to be clean
X-MailScanner-From: lars@eggert.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ma0Jrh4Ht5kNkUbuhIkIEPIO2-A>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 16:37:34 -0000

On 2019-3-26, at 17:33, Lars Eggert <lars@eggert.org> wrote:
> Also note that STARTTLS is somewhat less secure than running TLS directly. See for example Section 6 of RFC3207:
> 
>    A man-in-the-middle attack can be launched by deleting the "250
>    STARTTLS" response from the server.  This would cause the client not
>    to try to start a TLS session.  Another man-in-the-middle attack is
>    to allow the server to announce its STARTTLS capability, but to alter
>    the client's request to start TLS and the server's response.
>    ...

And RFC8314 recommends (for mail) that "implicit TLS" should be used instead of STARTTLS.

Lars

v2.23.0 | Report a Bug | By Email