Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Peter Gutmann <> Tue, 25 August 2015 07:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 519C31A8A7D for <>; Tue, 25 Aug 2015 00:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6qRGmc_IYR8t for <>; Tue, 25 Aug 2015 00:27:22 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1900F1A6F5D for <>; Tue, 25 Aug 2015 00:27:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1440487642; x=1472023642; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=C67HI0Z+MH+MWdwySeQMX/ufpww3Abuw6Z7g/+5LgVc=; b=MeONCbsmj7oj1m3/VSyITFCLhOy1yoCqDRQPvN/MMgMJbqvE3fTagrXQ qXivcLCYKYsNn1c653NVvy+N3GRCiAyLZl6u6KGBH61mLbJTU/Nvq2Kvb a+vd0t2fd+XAfnhcp8dptwBSjPl8V0iUmLYENaysXY5rcdyTPMTXoEVTr 5Ip4XCUND0fYFNo/3sUhCk1fBmRnxumEPqxZltW+9ORLBtkQR6eK9PBhw u4yr5eC9Il+mc+7oaZJSTCrkUr8DNXADHtW5PGs5cRKITAQKgnqC1sZN/ mdfIFgRQLZiQ3G5L1wY2IqWNMUpqY4fGLCAtXO2e9bzsia3EhCrBOi6LL Q==;
X-IronPort-AV: E=Sophos;i="5.15,744,1432555200"; d="scan'208";a="37572430"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 25 Aug 2015 19:26:54 +1200
Received: from ([]) by ([]) with mapi id 14.03.0174.001; Tue, 25 Aug 2015 19:26:53 +1200
From: Peter Gutmann <>
To: "" <>
Thread-Topic: [saag] AD review of draft-iab-crypto-alg-agility-06
Thread-Index: AQHQ3qvbT9ZhMqG4SESDb9hHYel1Rp4a4U6AgAAA+wCAAAUHgIABabjA
Date: Tue, 25 Aug 2015 07:26:53 +0000
Message-ID: <>
References: <> <> <20150727194020.GD15860@localhost> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2015 07:27:26 -0000

Viktor Dukhovni <>; writes:

>Opportunistic TLS was added to Microsoft Exchange 2003, and further extended
>in 2007.

It's not true opportunistic TLS (unless they've fixed it recently), it's "pay
a commercial CA to be allowed to do TLS", unlike pretty much every other MTA
I'm aware of which allows you to just set up and go without having to buy a
cert for each server.

(I'm not saying this as part of some anti-CA crusade, but to point out that
Exchange puts a considerable hurdle in the way of universal opportunstic TLS
for email.  To do opportunistic TLS with Postfix or most (all?) other MTAs,
you need just the MTA.  To do it with Exchange, you need the MTA plus
permission from a commercial CA to use TLS.  In the interests of getting hard
data for this, I wrote to Aaron Zauner, who did the TLS-with-SMTP survey, a
few days ago to ask if he has distinct stats for Exchange vs. everything else).