Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
Russ Housley <housley@vigilsec.com> Tue, 01 September 2015 20:59 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99951B4094 for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 13:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAfn7C-qAJVC for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 13:59:14 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 73EF21B3AB9 for <saag@ietf.org>; Tue, 1 Sep 2015 13:59:14 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 08632F24132 for <saag@ietf.org>; Tue, 1 Sep 2015 16:59:04 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id R9iYna-kQByJ for <saag@ietf.org>; Tue, 1 Sep 2015 16:57:46 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 0D89BF24145 for <saag@ietf.org>; Tue, 1 Sep 2015 16:58:42 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1085)
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20150901165526.GU9021@mournblade.imrryr.org>
Date: Tue, 01 Sep 2015 16:58:31 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F6E430F-61E7-46BA-9B4A-8E12156B62FA@vigilsec.com>
References: <CAHbuEH6w+O-TSA9SRP-9TrM+Hdh+vn7Me+tdJrFTNY_-Nbenug@mail.gmail.com> <20150901165526.GU9021@mournblade.imrryr.org>
To: saag@ietf.org
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/126Is19mhYYuWKnEvRSYSYg6Woo>
Subject: Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 20:59:15 -0000
I'm trying to pull together the things that I have heard on this thread over the last week regarding Section 2.9. I think I have captured them. Please let me know if I missed something? 2.9. Opportunistic Security Despite the guidance in Section 2.4, opportunistic security [RFC7435] also deserves consideration, especially at the time a protocol implementation is deployed and configured. Using algorithms that are weak against advanced attackers but sufficient against others is one way to make pervasive surveillance significantly more difficult. As a result, algorithms that would not be acceptable in many negotiated situations are acceptable for opportunistic security when legacy systems are in use for unauthenticated encrypted sessions as discussed in Section 3 of [RFC7435] as long as their use does not facilitate downgrade attacks. Similarly, weaker algorithms and shorter key sizes are also acceptable for opportunistic security with the same constraints. That said, the use of strong algorithms is always preferable. Russ
- [saag] Section 2.9: was Re: AD review of draft-ia… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Eliot Lear
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Steve Crocker
- Re: [saag] Section 2.9: was Re: AD review of draf… Salz, Rich
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Sam Hartman
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Barry Leiba
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Stephen Farrell
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Sam Hartman
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty