Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 25 August 2015 07:27 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 519C31A8A7D for <saag@ietfa.amsl.com>; Tue, 25 Aug 2015 00:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6qRGmc_IYR8t for <saag@ietfa.amsl.com>; Tue, 25 Aug 2015 00:27:22 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1900F1A6F5D for <saag@ietf.org>; Tue, 25 Aug 2015 00:27:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1440487642; x=1472023642; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=C67HI0Z+MH+MWdwySeQMX/ufpww3Abuw6Z7g/+5LgVc=; b=MeONCbsmj7oj1m3/VSyITFCLhOy1yoCqDRQPvN/MMgMJbqvE3fTagrXQ qXivcLCYKYsNn1c653NVvy+N3GRCiAyLZl6u6KGBH61mLbJTU/Nvq2Kvb a+vd0t2fd+XAfnhcp8dptwBSjPl8V0iUmLYENaysXY5rcdyTPMTXoEVTr 5Ip4XCUND0fYFNo/3sUhCk1fBmRnxumEPqxZltW+9ORLBtkQR6eK9PBhw u4yr5eC9Il+mc+7oaZJSTCrkUr8DNXADHtW5PGs5cRKITAQKgnqC1sZN/ mdfIFgRQLZiQ3G5L1wY2IqWNMUpqY4fGLCAtXO2e9bzsia3EhCrBOi6LL Q==;
X-IronPort-AV: E=Sophos;i="5.15,744,1432555200"; d="scan'208";a="37572430"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 25 Aug 2015 19:26:54 +1200
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.48]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Tue, 25 Aug 2015 19:26:53 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] AD review of draft-iab-crypto-alg-agility-06
Thread-Index: AQHQ3qvbT9ZhMqG4SESDb9hHYel1Rp4a4U6AgAAA+wCAAAUHgIABabjA
Date: Tue, 25 Aug 2015 07:26:53 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4AE62A1@uxcn10-5.UoA.auckland.ac.nz>
References: <55A938F1.9090404@cs.tcd.ie> <CD936D80-BEA2-4918-828C-E3A392761EC5@gmail.com> <20150727194020.GD15860@localhost> <55B6D36C.70105@iang.org> <20150728013020.GO4347@mournblade.imrryr.org> <DM2PR0301MB0655CF099FA7C56E9B9D24A9A88D0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20150728053035.GR4347@mournblade.imrryr.org> <CAHbuEH7B3_G9vAhw=U2tuz-Uh8mKMUfL6s=H+BOG96FDZaACig@mail.gmail.com> <20150824212907.GN9021@mournblade.imrryr.org> <619ffebb05ba4e2a9af03a6dcc768d6e@ustx2ex-dag1mb2.msg.corp.akamai.com>, <20150824215037.GO9021@mournblade.imrryr.org>
In-Reply-To: <20150824215037.GO9021@mournblade.imrryr.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/3XngX7G1XsvZBZBq1GfiMjyTfx8>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 07:27:26 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org>; writes:

>Opportunistic TLS was added to Microsoft Exchange 2003, and further extended
>in 2007.

It's not true opportunistic TLS (unless they've fixed it recently), it's "pay
a commercial CA to be allowed to do TLS", unlike pretty much every other MTA
I'm aware of which allows you to just set up and go without having to buy a
cert for each server.

(I'm not saying this as part of some anti-CA crusade, but to point out that
Exchange puts a considerable hurdle in the way of universal opportunstic TLS
for email.  To do opportunistic TLS with Postfix or most (all?) other MTAs,
you need just the MTA.  To do it with Exchange, you need the MTA plus
permission from a commercial CA to use TLS.  In the interests of getting hard
data for this, I wrote to Aaron Zauner, who did the TLS-with-SMTP survey, a
few days ago to ask if he has distinct stats for Exchange vs. everything else).

Peter.