Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 27 July 2015 20:17 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CEA91B337D for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 13:17:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.421
X-Spam-Level:
X-Spam-Status: No, score=0.421 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6e0BRpcxZ837 for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 13:17:33 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A1B1B3379 for <saag@ietf.org>; Mon, 27 Jul 2015 13:17:33 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E5869282FB1; Mon, 27 Jul 2015 20:17:31 +0000 (UTC)
Date: Mon, 27 Jul 2015 20:17:31 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150727201731.GK4347@mournblade.imrryr.org>
References: <55A938F1.9090404@cs.tcd.ie> <CD936D80-BEA2-4918-828C-E3A392761EC5@gmail.com> <20150727194020.GD15860@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150727194020.GD15860@localhost>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/tI-oaeEhj953wwFMZLPMdd91J98>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 20:17:34 -0000

On Mon, Jul 27, 2015 at 02:40:21PM -0500, Nico Williams wrote:

> We can only forbid weak crypto in OS applications when the market share
> of such crypto is negligible.

For the particular application in question.  Thus already for email
we can safely forbid "export" ciphers, SSLv2 and 1DES.  

It also looks like we can also forbid SSLv3.  The most recent report
of SSSv3-only domains on postfix-users (some banks in Western Europe)
was in Sep 2013:

    http://postfix.1071664.n5.nabble.com/Anyone-use-this-email-server-configuration-td61045.html#a61373

With all the publicity about SSLv3 since, I am optimistic that if
they've not upgraded yet, they will soon.  Thus Postfix official
releases no longer support SSLv3 in OS connections by default
(impact of doing so is finally negligible).

-- 
	Viktor.