Re: [Uta] getting back to UTA and injecting clue
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 17 March 2014 14:52 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 019691A02F3 for <uta@ietfa.amsl.com>; Mon, 17 Mar 2014 07:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooMy_05xMK6X for <uta@ietfa.amsl.com>; Mon, 17 Mar 2014 07:52:00 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 88ECC1A014D for <uta@ietf.org>; Mon, 17 Mar 2014 07:52:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3CD7CBE8A; Mon, 17 Mar 2014 14:51:52 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G04YN3H+3D9F; Mon, 17 Mar 2014 14:51:50 +0000 (GMT)
Received: from [10.87.48.11] (unknown [86.42.22.156]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 7DA0EBE4C; Mon, 17 Mar 2014 14:51:50 +0000 (GMT)
Message-ID: <53270C06.7010202@cs.tcd.ie>
Date: Mon, 17 Mar 2014 14:51:50 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Eliot Lear <lear@cisco.com>, Michael Richardson <mcr+ietf@sandelman.ca>, uta@ietf.org
References: <53249D4E.2080104@network-heretics.com> <5324ECFC.2050004@akr.io> <53256D07.7020005@network-heretics.com> <5325AEB2.9070804@mnt.se> <5325B3E7.3060508@network-heretics.com> <5326271D.40107@eff.org> <532660F5.908@cs.tcd.ie> <7258.1395059446@sandelman.ca> <5326FCF4.2070808@cisco.com>
In-Reply-To: <5326FCF4.2070808@cisco.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/PSaU7XaEb88c6tk5AkQW0agicj4
Subject: Re: [Uta] getting back to UTA and injecting clue
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 14:52:03 -0000
Eliot is correct IMO. S On 03/17/2014 01:47 PM, Eliot Lear wrote: > I'd like suggest a change of direction for this discussion. If we get a > bit more specific about the use cases, it will become clear when it is > reasonable to make use of fully authenticated (bidirectional) TLS; when > it might make sense to do *some* form of opportunistic keying and when > it makes sense to do nothing (there are, I think some limited cases for > not encrypting). Keith well knows the situation with email, and in fact > the draft that he and Chris seems like a good place to go back to. > > Keeping in mind that the ecosystem for email clients is extremely > diverse, ranging from complex UIs to PHP modules to age-old shell > scripts, and from private environments to the wild and woolly Internet, > if our goal is to get TLS to be the default then one has to ask this > question: why is it not already so? The answer might be a useful > addition to the draft. > > So for instance, if clients are meant to speak TLS either by default or > all the time, what does it look like on the server end in an enterprise, > we know that enterprises have great difficulty managing certificates, > both in terms of initial configuration and ongoing maintenance. Some of > it is just not wanting to go to a CA for a cert again and again. Some > of it is simply keeping track of what expires when. > > Also, perhaps there are some enterprise environments where DANE is > perhaps more feasible than in the wild Internet. The authors take this > into account in Section 2.2.12 (I think), but perhaps some support text > about when and how DANE is used would prove useful. It might also > motivate those who are writing MUAs to actually implement DANE. > > Anyway, hopefully you'll find this food for thought. > > Eliot > > On 3/17/14, 1:30 PM, Michael Richardson wrote: >> To a pervasive monitor that sees/intercepts traffic only the middle >> (i.e. they did not monitor/intercept DNS/OCSP/etc. requests), >> OK enabled traffic is hard to distinguish from pre-configured security. >> >> As such, the more crypto traffic there is, the harder it is to decide >> which traffic can be MITM without detection. >> >> (IKE/IPsec is slightly better in terms of traffic analysis of >> crypto-identities and port numbers here) >> >>> That kind of "if we do something, some other bad thing may happen" >>> argument is utterly bogus IMO. >> Or, "better is the enemy of good enough". >> Throughout the over-long review of 4322, I came to understand that the people >> who kept saying that were the NSA pawns/moles. Pawn, because I came to >> understand that many of them were unaware of what they were doing. >> >> -- >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >> -= IPv6 IoT consulting for hire =- >> >> >> >> >> >> _______________________________________________ >> Uta mailing list >> Uta@ietf.org >> https://www.ietf.org/mailman/listinfo/uta > > > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] opportunistic keying / encryption considere… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Watson Ladd
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Paul Hoffman
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Yan Zhu
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Leif Johansson
- Re: [Uta] opportunistic keying / encryption consi… Alan Johnston
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Yan Zhu
- Re: [Uta] opportunistic keying / encryption consi… Daniel Kahn Gillmor
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- [Uta] getting back to UTA and injecting clue (was… Eliot Lear
- Re: [Uta] opportunistic keying / encryption consi… Salz, Rich
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Daniel Kahn Gillmor
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] getting back to UTA and injecting clue Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] getting back to UTA and injecting clue … Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Orit Levin (LCA)
- Re: [Uta] opportunistic keying / encryption consi… Rick Andrews
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Trevor Perrin
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Trevor Perrin
- Re: [Uta] opportunistic keying / encryption consi… Watson Ladd
- Re: [Uta] opportunistic keying / encryption consi… Christian Huitema
- Re: [Uta] opportunistic keying / encryption consi… t.p.
- Re: [Uta] opportunistic keying / encryption consi… Adam Langley
- Re: [Uta] opportunistic keying / encryption consi… t.p.
- Re: [Uta] getting back to UTA and injecting clue Peter Saint-Andre
- Re: [Uta] getting back to UTA and injecting clue Peter Saint-Andre
- Re: [Uta] getting back to UTA and injecting clue Alexey Melnikov
- Re: [Uta] getting back to UTA and injecting clue Leif Johansson