IETF Logo Mail Archive

Re: [Uta] Opportunistic encryption and authentication agility

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 24 March 2014 01:58 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63C81A00A6 for <uta@ietfa.amsl.com>; Sun, 23 Mar 2014 18:58:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeL3D6B1MAzQ for <uta@ietfa.amsl.com>; Sun, 23 Mar 2014 18:58:01 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) by ietfa.amsl.com (Postfix) with ESMTP id E48691A0096 for <uta@ietf.org>; Sun, 23 Mar 2014 18:58:00 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 7018420049; Sun, 23 Mar 2014 23:17:39 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 4F74C63AB2; Sun, 23 Mar 2014 21:58:00 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 3CE4663AA2; Sun, 23 Mar 2014 21:58:00 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "uta@ietf.org" <uta@ietf.org>
In-Reply-To: <532F678A.2090404@cisco.com>
References: <CAGZ8ZG0rBxiE2dGZXhpvhKiyJOu=6Bn8sQ2seJ9_KvgPjmaaRg@mail.gmail.com> <532CFAB0.4070301@network-heretics.com> <10492.1395613933@sandelman.ca> <532F678A.2090404@cisco.com>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Sun, 23 Mar 2014 21:58:00 -0400
Message-ID: <23061.1395626280@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/Wu7LQ7YbIBn-E8jYX4hMZVP70Jk
Cc: Eliot Lear <lear@cisco.com>
Subject: Re: [Uta] Opportunistic encryption and authentication agility
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Mar 2014 01:58:02 -0000

Eliot Lear <lear@cisco.com> wrote:
    >> Well, that's not really correct advice.

    >> The correct advice is that:
    >> If the client is unable to verify the cert via (some set of methods,
    >> locally determined), that it treats the connection as if it was
    >> unencrypted, according the same level of (un)privileges.

    > Perhaps I misread Keith's note, but I didn't take it as advice.  Rather
    > he's assessing the current situation.

I read it as "this is how to implement OE". He wrote:

  keith> Note that as far as I can tell, it will still be possible to
  keith> implement a client that supports only OE; it just doesn't bother
  keith> verifying the cert / DNSSEC + TLSA record / pinned key / whatever.
  keith> Whether that client will


    > Your advice seems reasonably applicable for mail, at least at first
    > blush.  But different protocols have different anticipated environments,
    > and I took Trevor's email Keith's replies to be more general
    > statements.  My favorite example going the other way is SCIM, where you

SCIM == System for Cross-domain Identity Management (?)
     http://datatracker.ietf.org/wg/scim/charter/
     (there are other options to expand that acronym)

Does SCIM have a mode where it is happy (and meaningful) to run unencrypted?
I see in the charter talk about HTTP vs HTTPS.
Reading three pages of the API document, it seems that one could run
LIST/RETRIEVE operations in the clear.

So, actually, I think that my advice is exactly correct.

If the certificates for HTTPS do not verify, then you should treat the
connection exactly as you would if it occured over HTTP.  If that
means that the client shouldn't trust what the server says, then
that's what the client should do.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email