Re: [Uta] Opportunistic encryption and authentication agility
Keith Moore <moore@network-heretics.com> Sat, 22 March 2014 02:52 UTC
Return-Path: <moore@network-heretics.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EECA11A043A for <uta@ietfa.amsl.com>; Fri, 21 Mar 2014 19:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yn-9Y4fDm2RC for <uta@ietfa.amsl.com>; Fri, 21 Mar 2014 19:52:08 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by ietfa.amsl.com (Postfix) with ESMTP id D6A4F1A033B for <uta@ietf.org>; Fri, 21 Mar 2014 19:52:07 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 3FE5421112 for <uta@ietf.org>; Fri, 21 Mar 2014 22:51:58 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute3.internal (MEProxy); Fri, 21 Mar 2014 22:51:58 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=NneBJoJsaJksYgyn/lfB6u WW7Lw=; b=BlZP/KtOvoUnKm0Cy+xIAH9W/+vLt84VBIxHteS3eayZt4AlemwrA4 HmT4im7hAtpp31WCgjhladFgu1FnoYCbI5Mn5CwxaMkfSND0JfwR0Do/HEvPL0WD zjyFEP3wY69VxyN9KWb9cO6x25HSGNtVctxRc9mml9eiWYQO/MY4U=
X-Sasl-enc: p1Snz3wgrK3+0zJ1LONpo+fe/ylTk8ppjnAC1KM9JvWt 1395456717
Received: from [192.168.1.4] (unknown [65.16.145.177]) by mail.messagingengine.com (Postfix) with ESMTPA id 4D6E4C0000C; Fri, 21 Mar 2014 22:51:56 -0400 (EDT)
Message-ID: <532CFAB0.4070301@network-heretics.com>
Date: Fri, 21 Mar 2014 22:51:28 -0400
From: Keith Moore <moore@network-heretics.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>, "uta@ietf.org" <uta@ietf.org>
References: <CAGZ8ZG0rBxiE2dGZXhpvhKiyJOu=6Bn8sQ2seJ9_KvgPjmaaRg@mail.gmail.com>
In-Reply-To: <CAGZ8ZG0rBxiE2dGZXhpvhKiyJOu=6Bn8sQ2seJ9_KvgPjmaaRg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/GS4Jzolum6j_fCOuZsr9ABPLKoo
Subject: Re: [Uta] Opportunistic encryption and authentication agility
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 02:52:10 -0000
On 03/21/2014 09:37 PM, Trevor Perrin wrote: > A point I haven't seen in the recent debate: > > Whether a TLS connection is "opportunistic" or "authenticated" depends > not just on the wire protocol but on the client's capabilities. > > A client who possesses an HPKP or TACK pin, or is capable of querying > DANE or Convergence, might be able to authenticate a connection which > to a different client would be opportunistic. > > So when we talk about OE at the protocol level, I think we're really > talking about whether to allow agility of authentication methods, or > mandate a specific method. Partly. And again, I expect that the mandate will be different for different protocols. Note that as far as I can tell, it will still be possible to implement a client that supports only OE; it just doesn't bother verifying the cert / DNSSEC + TLSA record / pinned key / whatever. Whether that client will conform to the recommendations that this group produces, is a different question. But offhand I don't know of a way to keep such clients from working (though for new protocols, it might be nice if there were one). Similarly, even if we require TLS for some protocols, it will still be possible for a server to supply a self-signed cert with no additional validation; then it becomes up to the client to decide what to do with that. We can make recommendations (or "mandates"), but we can't force clients to behave in any particular way. And of course there will be some protocols for which it's impractical to require TLS in the near term, or maybe ever; e.g. cleartext operation for SMTP mail relaying is so well-entrenched that it might be harder to transition to all-TLS SMTP than it has been to transition to all-IPv6. So our task is to make recommendations that server operators and client implementors want to implement, but which still improve security in the near term - and (perhaps more importantly) which also leave room for security to get better in the future. To me this says that to endorse bare OE for any particular application should be an absolute last resort. There should always be _some_ way for clients to learn which servers can be expected to support authenticated encryption, even if that varies from one application/protocol to the next. Another subtlety: There can be a difference between what we "mandate" for client and server implementations, versus what we "mandate" for services. Example: If a web site that does nothing but supply free information to unauthenticated parties doesn't want to support authenticated encryption, maybe that's just fine. We might still want to "mandate" authenticated encryption for web sites that provide access to sensitive information, or for which user authentication is otherwise necessary. But independent of the requirement for services, web client implementations could still be required (maybe as a SHOULD) to support authenticated encryption (using server certs, TLSA, pinning, or whatever set of methods were deemed appropriate to mandate). > In the case of HTTPS, the Web PKI has been mandated. A small site > that doesn't want to pay the costs of Web PKI but would be willing to > deploy cheaper methods (pinning; DNSSEC/DANE) cannot do so. Who has mandated the "Web PKI" as the only way to verify a server cert? Is this carved in stone? > If opportunistic TLS was allowed, then we would have the ability to > deploy new auth methods without having to forever support whatever was > in vogue when the initial standard came out. > > I think that argues in favor of opportunistic TLS, for HTTP and other protocols. I don't get it. If the UTA WG can recommend that web clients permit OE, why can't it just as easily recommend that web clients treat OE (from a UI perspective) as no better than cleartext, but support pinning and/or DANE TLSA as alternative ways to verify a server cert to provide some indication to the user that the connection is secure? Keith
- Re: [Uta] Opportunistic encryption and authentica… Daniel Kahn Gillmor
- [Uta] Opportunistic encryption and authentication… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Aaron Zauner
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Eliot Lear
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Eliot Lear
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Eliot Lear
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Daniel Kahn Gillmor
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… William Chan (陈智昌)
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Watson Ladd
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore