Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 October 2014 18:23 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BDDE1A1AD1 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 11:23:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HfoShEaTxNjB for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 11:23:37 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4601A0368 for <tls@ietf.org>; Fri, 24 Oct 2014 11:23:37 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 882AC2AB109; Fri, 24 Oct 2014 18:23:35 +0000 (UTC)
Date: Fri, 24 Oct 2014 18:23:35 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141024182335.GQ19158@mournblade.imrryr.org>
References: <20141022175238.GF19158@mournblade.imrryr.org> <544837FD.202@cs.tcd.ie> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com> <5449A667.9040105@cs.tcd.ie> <20141024133728.GI19158@mournblade.imrryr.org> <544A5BB3.4000506@fifthhorseman.net> <20141024141215.GL19158@mournblade.imrryr.org> <544A680F.4080307@fifthhorseman.net> <20141024155407.GO19158@mournblade.imrryr.org> <544A834A.504@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <544A834A.504@fifthhorseman.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/UohXrz_htnfnKp1W6FaKAUVFFhw
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 18:23:40 -0000
On Fri, Oct 24, 2014 at 12:50:18PM -0400, Daniel Kahn Gillmor wrote: > > I am not familiar with any TLS policy pinning capabilities in Exim, > > Postfix, Sendmail or Qmail. > > I didn't say "pinning", but "keeping state", which may or may not > include pinning. I meant pinning in a broad sense that includes storing TLS capabilities. > Postfix's sending MTA at least keeps track of whether > a given destination is considered "unavailable", see for example the > counts tracked and applied by > default_destination_concurrency_failed_cohort_limit. [ Deep-dives into Postfix designs here are not going to be productive direction. I will not respond to further attempts to sell me on the merits of complex schemes for MTA. ] As the instigator of that algorithm, I am well aware of its design. This is not persistent state. It is flushed as soon as there are there no more messages in the queue for the destination in question. For dead destinations the zombie state lives for a short time in the queue manager's memory until a timer expires. This does not leave any room for persisting state beyond the lifetime of a stream of back to back messages. Nor does the queue manager store any state about MX hosts, that would be up the SMTP delivery agent. > > Unless this WG goes out of its way to break opportunistic TLS, it > > is working just fine today. :-) None of the MTAs listed above have > > multi-stage TLS fallback. TLS either works out of the box or is > > not used (cleartext fallback or transmission failure). > > To be clear: if the remote peer appears to offer STARTTLS in EHLO, and > the local system invokes it but the TLS handshake fails/is aborted, then > the local system tries again without doing STARTTLS even though it is > offered by the peer. is this right? It is implementation dependent. Postfix will typically try in the clear, with some of the most recent versions typically after the message is tried and fails at any other MX hosts. Sendmail does not retry in the clear after STARTTLS fails, the message stays in queue unless some other MX host is less broken. > or does a TLS handshake failure > count as a complete transmission failure? Yes in Sendmail. > if it's a transmission > failure comparable to a TCP RST, and the message is re-queued for later, > what is tried on the future reconnection? STARTTLS again with Sendmail. With Postfix generally STARTTLS, but on a second failure by default cleartext in all versions. We're thinking of adding controls that optionally disable this fallback and allow users to chooose the Sendmail behaviour. > even if it just directly > retries in the clear, this is a "fallback dance" of a sort. I already said there's fallback (to cleartext from TLS). There is not and will not be cipher suite or protocol fallback. > Yes, it would be simpler to just require TLS, but we're already past > that point if we're prioritizing deliverability over security while > trying to provide some security anyway. The fallback mechanism will be kept as simple as possible. That means no multiple attempts with different variants of the TLS settings. If that TLS handshake fails, mail is sent in the clear or not sent. If some TLS feature choices are error prone, they are not used. Thus, for example, RC4 will not by default be disabled for some time. If TLS 1.3 will prove to have interop issues, it will be initially disabled until these are resolved. And so on. Opportunistic TLS will avoid bleeding-edge settings, and will stick to what is known to work reliably (be it "less optimally" in some sense). > > Cleartext fallback is much simpler, and the problem is non-existent. > > Simply allowing RC4 avoids the need for all the complex code you > > suggest. > > As does simply not allowing RC4. If we're taking measures to > accommodate broken/out-of-date/poorly-implemented peers, it's worth > thinking about how to scope those accommodations to have minimal > negative effect on better-implemented and more-capable peers, as well as > on how to work around specific forms of misconfiguration that happen to > be prevalent. This non-problem is not worth the time we're spending on it. > Perhaps the argument is that the MTA fallback dance, since it can be > forced ultimately to cleartext by a sufficiently motivated active > attacker anyway, should be *simpler* than the browser fallback dance, > and shouldn't make as many accommodations or require as much state and > complexity to implement. I'm not sure i buy it, but if that's the > argument, it's worth making it explicitly. That's a good part of the argument, opportunistic TLS is icing on the cake. Mostly good neighbourliness for the benefit of the ecosystem rather than a specific desire to protect a paricular message. Therefore, the mechanisms used need to be simple and reliable. With opportunistic DANE TLS, when usable TLSA RRs are published, some SMTP clients allow remote servers to signal a requirement for stronger protection (in a downgrade-resistant manner). Here the picture changes, fallback is not enabled by default (to either cleartext or unauthenticated encryption) and stronger ciphersuites are required. In this case RC4 might reasonably be excluded for such peers. It am not expecting too many RC4-only peers with published TLSA records. We should stop spamming the list... This is largely off topic here. -- VIktor.
- [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hanno Böck
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- [TLS] adopting ChaCha20 as a WG item was: I-D Act… Nikos Mavrogiannopoulos
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- [TLS] why Chacha20-SHA1 was: adopting ChaCha20 as… Nikos Mavrogiannopoulos
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Joachim Strömbergson
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Peter Gutmann
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Brian Smith
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paul Lambert
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Carl S. Gutekunst
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ralph Holz
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ronald del Rosario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Chris Newman
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Joseph Salowey
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paterson, Kenny
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- [TLS] Fw: I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Checkoway
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL