IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-00.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 03 December 2014 08:27 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F9AE1A0110 for <tls@ietfa.amsl.com>; Wed, 3 Dec 2014 00:27:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eyv8YTtVlK16 for <tls@ietfa.amsl.com>; Wed, 3 Dec 2014 00:27:22 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF4D01A00F1 for <tls@ietf.org>; Wed, 3 Dec 2014 00:27:21 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B1025282D5F; Wed, 3 Dec 2014 08:27:20 +0000 (UTC)
Date: Wed, 03 Dec 2014 08:27:20 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141203082720.GH285@mournblade.imrryr.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9F9CAB@uxcn10-tdc05.UoA.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9F9CAB@uxcn10-tdc05.UoA.auckland.ac.nz>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_ELEU8SttTOCNv4kIMqVpirsebo
Subject: Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 08:27:24 -0000

On Wed, Dec 03, 2014 at 07:47:23AM +0000, Peter Gutmann wrote:

> Viktor Dukhovni <ietf-dane@dukhovni.org> writes:
> 
> >a server that wants to use ECDSA when possible, but still wants to
> >interoperate with more than just a select few clients really SHOULD have both
> >ECDSA and RSA certificates.
> 
> Do you want to be the one to tell your CIO that the CA tax on their entire
> server infrastructure just doubled, all in the name of making a fashion
> statement?

For HTTPS, at this time often no, especially not given what EV
certs typically cost.

For SMTP with DANE, the marginal cost for a TLSA record is zero.
Twice zero is still zero.  

However, the Let's Encrypt price for "DV" (Domain not Validated,
or perhaps Definitively Vacuous) certs may again turn out to be a
solution of $2x = x$.  And I think they are not first to offer
"free" certs, though the deployment cost in administrator effort
may be where they prove to be cheaper if successful.

Also in terms of software support, IIRC OpenSSL prior to the not
quite yet released 1.0.2 does not process chain files for multiple
certificates as well as one might expect (there are work-arounds).

So I am not expecting multi-certificate deployments (and thus any
ECDSA deployments) to become mainstream in the very near term.

-- 
	Viktor.

v2.20.0 | Report a Bug | By Email