Re: [perpass] blast from the past
Douglas Otis <doug.mtview@gmail.com> Thu, 30 January 2014 19:37 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE0CC1A0451 for <perpass@ietfa.amsl.com>; Thu, 30 Jan 2014 11:37:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAosnyOLSGiu for <perpass@ietfa.amsl.com>; Thu, 30 Jan 2014 11:37:15 -0800 (PST)
Received: from mail-pd0-x22a.google.com (mail-pd0-x22a.google.com [IPv6:2607:f8b0:400e:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 3695A1A0450 for <perpass@ietf.org>; Thu, 30 Jan 2014 11:37:15 -0800 (PST)
Received: by mail-pd0-f170.google.com with SMTP id p10so3410081pdj.29 for <perpass@ietf.org>; Thu, 30 Jan 2014 11:37:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zkbdnxaRUG8KhOd9B5iQcYZOFuKHUwZlVf+U9QTxYCU=; b=gHPrPGLD6bV5orPEd6PA0LJTFbijY0ExgrXrHLKUa7anxq0N0ZsCJ/HYsCRpB4Sds+ 2RcMLYwqLxyjSws/0JXLRVm7zfw5kvnXq2gn9pkDoxh7N7ZHrmJmQTSNsCx5JNn5+kDA +voXsceai3vRqjPguwNqvHi0Ev8yU41VbCJNaUD76bBIE9Kn0JV2CfGeHh47N00+ACKZ 5Nf1YZIwGBGjyz9fppJ5BA0C2ujQIPSC3z3bE7UmSYQV3SFuJOPICMpPulUigKUKp6TK +rGjrKzhf5XMHU4I3qrDYXYSyj5wTrt9V6IC2VXg2o/AaDtO6ao9FscSA0SWKwnGwZkc JdmA==
X-Received: by 10.66.26.10 with SMTP id h10mr16172240pag.24.1391110632003; Thu, 30 Jan 2014 11:37:12 -0800 (PST)
Received: from [192.168.2.232] (c-67-188-1-12.hsd1.ca.comcast.net. [67.188.1.12]) by mx.google.com with ESMTPSA id e6sm20116724pbg.4.2014.01.30.11.37.09 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 Jan 2014 11:37:10 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <52E842EE.2030508@gmail.com>
Date: Thu, 30 Jan 2014 11:37:09 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <B89FBA95-9769-4F3B-BCCD-7AAB4AF06CA0@gmail.com>
References: <8FEC00FC-D83C-4FB2-8FE3-C8536CEAC814@sobco.com> <52E842EE.2030508@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.1827)
Cc: perpass <perpass@ietf.org>, "Scott O. Bradner" <sob@sobco.com>
Subject: Re: [perpass] blast from the past
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2014 19:37:17 -0000
On Jan 28, 2014, at 3:53 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > On 29/01/2014 12:39, Scott O. Bradner wrote: >> I just remembered that we talked about setting a direction towards protection quite a while ago in RFC 1752 >> (the IPv6 recommendation) >> >> We feel that an improvement in the basic level of security in the >> Internet is vital to its continued success. Users must be able to >> assume that their exchanges are safe from tampering, diversion and >> exposure. Organizations that wish to use the Internet to conduct >> business must be able to have a high level of confidence in the >> identity of their correspondents and in the security of their >> communications. The goal is to provide strong protection as a matter >> of course throughout the Internet. >> >> Scott > > I also noticed that we said this in RFC 1958: > > 6.2 It is highly desirable that Internet carriers protect the privacy > and authenticity of all traffic, but this is not a requirement of the > architecture. Confidentiality and authentication are the > responsibility of end users and must be implemented in the protocols > used by the end users. Endpoints should not depend on the > confidentiality or integrity of the carriers. Carriers may choose to > provide some level of protection, but this is secondary to the > primary responsibility of the end users to protect themselves. > > Brian Dear Brian, Agreed. In addition, lack of SMTP client authentication is a primary reason IPv6 email remains difficult service to defend. Endpoint authentication is possible. StartTLS or TLS can exchange client and server certificates as a means to authenticate these endpoints while also protecting transactions from third-party monitoring. If only... DKIM authenticates signed portions of a message in a manner independent of the sender without ensuring proper delivery or trivial checks protecting against message spoofing. Nearly all email is exchanged as clear text where just the sender IP address offers a practical means to identify and block abuse. IPv6 email defense remains problematic, where attempts often employ various DNS derived authorization extensions which might even offer greater exposures. Reliance on IP addresses with insecure DNS exposes email to difficult to detect forms of router and DNS spoofing which may permit undetected MiTM attacks. Regards, Douglas Otis
- [perpass] blast from the past Scott O. Bradner
- Re: [perpass] blast from the past Brian E Carpenter
- Re: [perpass] blast from the past Douglas Otis