Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <> Tue, 25 August 2015 16:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 17F031B34E8 for <>; Tue, 25 Aug 2015 09:06:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MA0yFfrpWY2X for <>; Tue, 25 Aug 2015 09:06:29 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0D7E81B34DF for <>; Tue, 25 Aug 2015 09:06:29 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 0F674284B69; Tue, 25 Aug 2015 16:06:28 +0000 (UTC)
Date: Tue, 25 Aug 2015 16:06:28 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2015 16:06:31 -0000

On Tue, Aug 25, 2015 at 03:44:12PM +0000, Salz, Rich wrote:

> > Opportunistic TLS is supported in at least Exchange 2007 and later.
> > I don't recall what Exchange 2003 did outbound, I only recall helping
> > Microsoft to design fixes for various issues prior to the release of Exchange
> > 2007.  Some flaws remain, but it is largely workable without a CA tax.
> This is important.  It means that for SMTP, OS really started in 2005 with
> Postfix and 2007 for Exchange?   If so, then there is really no need to
> support RC4.  STARTTLS, as Peter was saying, can imply more than just OS,
> as MS really wants a CA to be involved.  Since a principal tenet of OS is
> *unauthenticated* privacy, it appears that the discussion has conflated
> the two.

You're reading too much into the tea leaves.  Exchange as a server
supported inbound STARTTLS since 2003 and a non-trivial number of
deployed systems are of that vintage.  There was STARTTLS support
in Postfix as shipped in some Linux distributions, well before the
feature was officially adopted and improved by Wietse for Postfix
2.2 in 2005.

Yes, Exchange support for STARTTLS was improved (for outbound TLS)
in 2007.  However, exchange was not and is not a dominant edge MTA.
It is used inside networks a lot more than at the edge.

There is longstanding STARTTLS support in Sendmail, Qmail, Exim,
Ironport appliances, Kerio appliances, ...

STARTTLS for SMTP has a large deployed base, with many of the
systems running less-capable "vintage" software.  How long ago they
got there is not especially relevant.  Your conclusions about RC4
with SMTP are I'm afraid wishful thinking.

Users are having real issues delivering email to RC4-only systems.
Downgrading those to cleartext (and sometimes failing delivery
entirely) is not a win.  I'll deprecate RC4 in Postfix as soon as
possible, but not sooner.

In any case, whether it is RC4 now, or some other deprecated
ciphersuite in the futre, with opportunistic security one needs to
pay more attention to what interoperates than what is unequivocally
strong.  The goal is as much security as can be realistically had,
not "all or nothing".  I like to make an analogy with vaccination,
we're protecting the infrastructure as a whole, rather guaranteed
security for a particular flow.