Re: [Uta] Opportunistic encryption and authentication agility
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 24 March 2014 01:58 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63C81A00A6 for <uta@ietfa.amsl.com>; Sun, 23 Mar 2014 18:58:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeL3D6B1MAzQ for <uta@ietfa.amsl.com>; Sun, 23 Mar 2014 18:58:01 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) by ietfa.amsl.com (Postfix) with ESMTP id E48691A0096 for <uta@ietf.org>; Sun, 23 Mar 2014 18:58:00 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 7018420049; Sun, 23 Mar 2014 23:17:39 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 4F74C63AB2; Sun, 23 Mar 2014 21:58:00 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 3CE4663AA2; Sun, 23 Mar 2014 21:58:00 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "uta@ietf.org" <uta@ietf.org>
In-Reply-To: <532F678A.2090404@cisco.com>
References: <CAGZ8ZG0rBxiE2dGZXhpvhKiyJOu=6Bn8sQ2seJ9_KvgPjmaaRg@mail.gmail.com> <532CFAB0.4070301@network-heretics.com> <10492.1395613933@sandelman.ca> <532F678A.2090404@cisco.com>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Sun, 23 Mar 2014 21:58:00 -0400
Message-ID: <23061.1395626280@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/Wu7LQ7YbIBn-E8jYX4hMZVP70Jk
Cc: Eliot Lear <lear@cisco.com>
Subject: Re: [Uta] Opportunistic encryption and authentication agility
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Mar 2014 01:58:02 -0000
Eliot Lear <lear@cisco.com> wrote: >> Well, that's not really correct advice. >> The correct advice is that: >> If the client is unable to verify the cert via (some set of methods, >> locally determined), that it treats the connection as if it was >> unencrypted, according the same level of (un)privileges. > Perhaps I misread Keith's note, but I didn't take it as advice. Rather > he's assessing the current situation. I read it as "this is how to implement OE". He wrote: keith> Note that as far as I can tell, it will still be possible to keith> implement a client that supports only OE; it just doesn't bother keith> verifying the cert / DNSSEC + TLSA record / pinned key / whatever. keith> Whether that client will > Your advice seems reasonably applicable for mail, at least at first > blush. But different protocols have different anticipated environments, > and I took Trevor's email Keith's replies to be more general > statements. My favorite example going the other way is SCIM, where you SCIM == System for Cross-domain Identity Management (?) http://datatracker.ietf.org/wg/scim/charter/ (there are other options to expand that acronym) Does SCIM have a mode where it is happy (and meaningful) to run unencrypted? I see in the charter talk about HTTP vs HTTPS. Reading three pages of the API document, it seems that one could run LIST/RETRIEVE operations in the clear. So, actually, I think that my advice is exactly correct. If the certificates for HTTPS do not verify, then you should treat the connection exactly as you would if it occured over HTTP. If that means that the client shouldn't trust what the server says, then that's what the client should do. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [Uta] Opportunistic encryption and authentica… Daniel Kahn Gillmor
- [Uta] Opportunistic encryption and authentication… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Aaron Zauner
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Eliot Lear
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Eliot Lear
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Michael Richardson
- Re: [Uta] Opportunistic encryption and authentica… Eliot Lear
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… Daniel Kahn Gillmor
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore
- Re: [Uta] Opportunistic encryption and authentica… William Chan (陈智昌)
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Watson Ladd
- Re: [Uta] Opportunistic encryption and authentica… Trevor Perrin
- Re: [Uta] Opportunistic encryption and authentica… Keith Moore