IETF Logo Mail Archive

Re: [TLS] Deployment ... Re: This working group has failed

Yoav Nir <synp71@live.com> Wed, 27 November 2013 06:59 UTC

Return-Path: <synp71@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2B21AE115 for <tls@ietfa.amsl.com>; Tue, 26 Nov 2013 22:59:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pEYoC8poPXHo for <tls@ietfa.amsl.com>; Tue, 26 Nov 2013 22:59:11 -0800 (PST)
Received: from blu0-omc1-s33.blu0.hotmail.com (blu0-omc1-s33.blu0.hotmail.com [65.55.116.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7CFF21AE180 for <tls@ietf.org>; Tue, 26 Nov 2013 22:59:11 -0800 (PST)
Received: from BLU0-SMTP203 ([65.55.116.8]) by blu0-omc1-s33.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 26 Nov 2013 22:59:11 -0800
X-TMN: [qAq2gExcsCSU0kxBvLZs972CvzL7yWd8]
X-Originating-Email: [synp71@live.com]
Message-ID: <BLU0-SMTP2032BA7A56EA05E1C2679F7B1EF0@phx.gbl>
Received: from ynir-MBA.local ([80.179.9.115]) by BLU0-SMTP203.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 26 Nov 2013 22:58:07 -0800
Date: Wed, 27 Nov 2013 08:56:55 +0200
From: Yoav Nir <synp71@live.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Andy Lutomirski <luto@amacapital.net>, Peter Gutmann <p.gutmann@auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C736541CBFC@uxcn10-tdc06.UoA.auckland.ac.nz> <CALCETrVeBHqckreYHmaiNONZ8Yj-om5+yQv+ZOfs0Qpj7xXOUA@mail.gmail.com>
In-Reply-To: <CALCETrVeBHqckreYHmaiNONZ8Yj-om5+yQv+ZOfs0Qpj7xXOUA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080602060903000707090309"
X-OriginalArrivalTime: 27 Nov 2013 06:59:00.0871 (UTC) FILETIME=[269DF970:01CEEB3E]
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 06:59:13 -0000

On 27/11/13 1:51 AM, Andy Lutomirski wrote:
> On Tue, Nov 26, 2013 at 3:28 PM, Peter Gutmann <p.gutmann@auckland.ac.nz> wrote:
>> Andy Lutomirski <luto@amacapital.net> writes:
>>
>>> - When in client mode, implementations MUST refuse to connect to a server
>>> unless an explicitly chosen set of trust roots (or other mechanism such as
>>> DANE) authenticates that server (hello, everything).
>> Translated: "TLS implementations MUST refuse to connect to any computer or
>> device that isn't a public web server with a commercial CA-issued
>> certificate".  You may as well mandate that "TLS implementations MUST NOT
>> allow the tide to come in".
> Not at all.  I didn't say "bundled set of trust roots;" I said
> "explicitly chosen".  This would ban, for example:
>
>   - stunnel in client mode with verify = 0 or verify = 1
>   - OpenSSL's SSL_VERIFY_NONE mode
>   - The default behavior of Python's urllib2 module
>
> etc.  If an implementation wanted to offer a scary opt-in way to say
> "make me completely insecure", I have no problem with that.  It's
> unacceptable, though, that the default behavior of a lot of libraries
> is to skip verification.
>
> I personally use TLS with private trust roots -- lots of people do
> this.  The problem is when people use TLS with no trust roots at all.
If by "lots" you mean too many to get them all together for beer night 
-- yes. But the kind of technical know-how is in short supply, and 
caring about this even among those with technical know-how is also thin 
on the ground.

I'm sure there are thousands of people who use TLS with private trust 
roots, as well as thousands of companies. But that's a small portion of 
people and companies, and the rest of us also need stuff that works.

Yoav

v2.23.0 | Report a Bug | By Email