Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <> Tue, 25 August 2015 19:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F18011A1BAC for <>; Tue, 25 Aug 2015 12:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pm7SXhs82pJF for <>; Tue, 25 Aug 2015 12:07:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 393D51A910E for <>; Tue, 25 Aug 2015 12:07:04 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 5F41F284B56; Tue, 25 Aug 2015 19:07:03 +0000 (UTC)
Date: Tue, 25 Aug 2015 19:07:03 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2015 19:07:06 -0000

On Tue, Aug 25, 2015 at 11:13:44AM -0700, Martin Thomson wrote:

> However, if we expect software to be updated in order to get
> opportunistic security, then I don't think it unreasonable to also
> expect it to be maintained on an ongoing basis.

And SMTP servers are updated from time to time, but the refresh
cycles are fairly long and the incentives to care about encryption
are not great.

If we want people to encrypt for the common good, despite lack of
apparent benefit to them, we must not erect barriers to adoption
in the form of interoperability problems.  Obsoleting mainstream
ciphers has a major interoperability impact and takes time,
(especially RC4 which was rumoured better than CBC after CRIME and
BEAST, was the best cipher in Windows 2003, and outperformed the
alternatives in the absense of hardware support).

What RFC 7435 says is that OS systems can be more tolerant of
deprecated algorithms when interoperability considerations trump
the security analysis.  Such tolerance is not forever.

> If you accept that software that is updated once can be continuously
> maintained thereafter, then it's not a stretch to conclude that
> deploying good ciphers is equally feasible.

Deployment of good ciphers is taking place, slowly.  In the mean-time,
there's email to be delivered, and users who rightly expect OS to
not get in the way.  Encryption is a nice-to-have.

    * Deliver the email
    * Encrypt if possible (RFC 3207, 7435)
    * Authenticate when requested by the peer
      (RFC 7435, SMTP DANE draft).

In practice, OS is working quite well, Google's outbound mail (which
is much less dominated by bulk mail ads than their inbound mail)
is now ~81+% encrypted, up from ~77% a year ago: