IETF Logo Mail Archive

Re: [Trans] CT for opportunistic STARTTLS in SMTP

Ben Laurie <benl@google.com> Wed, 26 February 2014 11:13 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B8A1A025A for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 03:13:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.326
X-Spam-Level:
X-Spam-Status: No, score=-1.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_48=0.6, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YeA7SXWLV7uo for <trans@ietfa.amsl.com>; Wed, 26 Feb 2014 03:13:10 -0800 (PST)
Received: from mail-ve0-x22b.google.com (mail-ve0-x22b.google.com [IPv6:2607:f8b0:400c:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 1F0551A0256 for <trans@ietf.org>; Wed, 26 Feb 2014 03:13:09 -0800 (PST)
Received: by mail-ve0-f171.google.com with SMTP id oz11so1981716veb.16 for <trans@ietf.org>; Wed, 26 Feb 2014 03:13:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PDIQPxOt9Yklgud0Yz0og9hBfCLa+XMx0T+Rqv+ZV+s=; b=cXq3JXFfVNkTNSr2jYKzRTcAyTnLl9lJ0q8gRS2sgnle6fmCIWsez5IYu0zYAfy+uv ckZKXNSyx5Mg0373xiwm/nZaJgesunwtW2kjZPG57P15VL0ZKkqe9q8bkTK/mSk9MX00 GBU+wCtjkAf2f67r6tdGV/i11kD7LwhnFPaSMZYKjEhhyad31TLduAXVJ4Sfez7Qx09r R6Pr7Z8d6EHa/NAqsroO+lUNQTFnrw8GzrBh72vSPJFExeA23b9bN9k9gWBLH0Ao2pwi sjsBkUHzirI96SPPxXKqHyeEAo0JsqPXQu21nfjp5Y9jLXaGF+8wdwr/LAsM7suGEwgz Keeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PDIQPxOt9Yklgud0Yz0og9hBfCLa+XMx0T+Rqv+ZV+s=; b=UHbJCb3fv1VLxE8d0gtgMmYIWOY8cdIVIjNxVlG5CsQj5AsJo9/nMrmncvmOwC3okQ Ga5947OSIUwgZw2mO53AIreAuhE9uZgKdBVqEr8lVA22UyPuuBD/zuvqRRD7vKIRH+iA jidvXKueh9w6aqGR2GhNCZmcLxMWrNt5d/NlM3fcRrCL7qK4mv5zXAZpCfhzJ7dJmyOn 38hmpAACrmg5Re7ESNKHJdo86DUlVmlh5DOFFYOItnrh1szoahwu5LLArtz66Hkup+cB vGu/Hb6Pbwp17+JMXEFDhHyRSu9jP6kaEGKDpuXrC3eR+ZidnJq2ueh63SJlqeqQymZS I7Bw==
X-Gm-Message-State: ALoCoQnD/RqzY6/GOg3eQkN4xFs8t4dAuRKqYxCFt+ZqGaJT6nw4dvdgYnJkbqTrNgEy/Si9ulUmk/BtPofUHSWE6afyMGKPW01gYZo8ZiStl7VE6QwgS+YbckV3HxCsJurrE/nDFZQBFQAWqsqGDKL6fZg05uxkyXpN7ZjBlO5bvG4YsKy5u3SS7OtuUARJly7u8da1kULW
MIME-Version: 1.0
X-Received: by 10.58.59.100 with SMTP id y4mr5495980veq.4.1393413188665; Wed, 26 Feb 2014 03:13:08 -0800 (PST)
Received: by 10.52.230.105 with HTTP; Wed, 26 Feb 2014 03:13:08 -0800 (PST)
In-Reply-To: <4289ed5e74314d56ad59be2e92d0ccb3@DFM-TK5MBX15-07.exchange.corp.microsoft.com>
References: <53063600.4020102@gmail.com> <878ut0usxw.fsf@alice.fifthhorseman.net> <CAMm+LwjANZrgKXxRD-f4POdn7vz9_f1W2Mj8xTGEFVO9-3Unng@mail.gmail.com> <530BB8E3.30303@gmail.com> <530BBCE6.1070100@fifthhorseman.net> <CABrd9SQeReQ_LMFxYJhA2NBCPKCsUXiHjmaF5UgOUEvi-ZJovg@mail.gmail.com> <DEEC5007-F38F-4A20-ADA3-A612C31326C4@vpnc.org> <CABrd9ST9U_KK1bTGAGeUFyr8Gx7GWkau9HiPfcgyOwjnozXuFA@mail.gmail.com> <200B1469-C0AB-4560-B799-F09D4C7221EA@vpnc.org> <2c3b987f362f479fa0d437513b65efa5@DFM-TK5MBX15-05.exchange.corp.microsoft.com> <CAMm+LwgicNZnYtphb5Kp=1bR8G8mMR=ZrVzAgB1DQGsYUPB7cw@mail.gmail.com> <4289ed5e74314d56ad59be2e92d0ccb3@DFM-TK5MBX15-07.exchange.corp.microsoft.com>
Date: Wed, 26 Feb 2014 11:13:08 +0000
Message-ID: <CABrd9SSPjfFfO3LPX1PSeBTyL0gLxz0DPR7te06r3fVmzCD13w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Trevor Freeman <trevorf@exchange.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/veMCPgettwmQ5OgnAr-_B0Kgru0
Cc: "trans@ietf.org" <trans@ietf.org>, Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [Trans] CT for opportunistic STARTTLS in SMTP
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 11:13:13 -0000

On 25 February 2014 22:13, Trevor Freeman
<trevorf@exchange.microsoft.com> wrote:
> The point with opportunistic TLS is its OPPORTUNISTIC, if there is any
> failure it will fall back to send without TLS. In opportunistic TLS the
> sender does no checks whatsoever on the certificate so why would it care
> about CT?

Then perhaps the word "opportunistic" should be removed from the
question. What is the relevance of CT to SMTP+STARTTLS?

>
>
>
> Besides the whole STARTTLS negation is already subject to downgrade attacks.
> Some firewalls actively block the STARTTLS negotiation.
>
>
>
> From: Phillip Hallam-Baker [mailto:hallam@gmail.com]
> Sent: Tuesday, February 25, 2014 1:48 PM
> To: Trevor Freeman
> Cc: Paul Hoffman; Ben Laurie; trans@ietf.org; Daniel Kahn Gillmor
>
>
> Subject: Re: [Trans] CT for opportunistic STARTTLS in SMTP
>
>
>
> The idea seems to be that there is an append only log server that clients
> are gong to be checking. So we can use that to stuff security policy
> information into the system.
>
>
>
> The problem is that the client only checks the CT logs in the normal case
> after it has decided to use TLS.
>
>
>
> So there is certainly a value in using an append only log to publish
> security policy data and in fact I do this in PPE. But it is only a solution
> to the downgrade attack problem with a lot of extra infrastructure. For
> example an Omnibroker scanning the CT log and using that to build the
> connection profile.
>
>
>
>
>
>
>
>
>
> On Tue, Feb 25, 2014 at 2:47 PM, Trevor Freeman
> <trevorf@exchange.microsoft.com> wrote:
>
> I don't see the relevance of CT to opportunistic STARTTLS.
>
> Opportunistic STARTTLS is a feature of the sender whereby the sender picks
> STARTTLS if offered, but otherwise will send the email.  If the alternative
> was send unprotected over plain TCP, you may as well negotiate TLS if
> offered.  Moreover, if TLS negotiation fails for whatever reason, the send
> remembers the fact and done not attempt to negotiate next time.
>
> The sender does have a list of SMTP domains where it requires TLS
> authentication, but that is mandatory  STARTTLS.
>
>
> -----Original Message-----
> From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Paul Hoffman
> Sent: Tuesday, February 25, 2014 9:54 AM
> To: Ben Laurie
> Cc: trans@ietf.org; Daniel Kahn Gillmor
> Subject: Re: [Trans] CT for opportunistic STARTTLS in SMTP
>
> On Feb 25, 2014, at 9:36 AM, Ben Laurie <benl@google.com> wrote:
>
>>> At the earlier CT meeting, I think someone proposed that there could be a
>>> check that the cert was in actual use at the place it said it was.
>>
>> That does not seem effective to me.
>
> It is more effective than doing nothing; it may not be effective enough to
> prevent overwhelm by spam. I was just pointing it out as something that was
> proposed, not well-thought-out.
>
> --Paul Hoffman
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>
>
>
>
>
> --
> Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email