IETF Logo Mail Archive

Re: [Uta] What's the right thing to do about Port 465?

Keith Moore <moore@network-heretics.com> Tue, 11 March 2014 12:42 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 502081A0721 for <uta@ietfa.amsl.com>; Tue, 11 Mar 2014 05:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzMhvWmjdgmx for <uta@ietfa.amsl.com>; Tue, 11 Mar 2014 05:42:09 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF531A0715 for <uta@ietf.org>; Tue, 11 Mar 2014 05:41:59 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id A65D92104B for <uta@ietf.org>; Tue, 11 Mar 2014 08:41:53 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 11 Mar 2014 08:41:53 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=Iiz6i89Ls4VHPNjUYsDDzS ujYe0=; b=CxLT9M8LVfy0ck43mcw0mD5H1CXDqAS1XyGA0ReU7z62JcAhs+3JCS gpAsbc/IaqoTQEwyRhnyirgAN+r79nsknlPFcPRIi66HOPUe6ggnivsT2ah029qC pZzuEYifWRM62goPyoivExyKsDfFEGEy+gMIIYy7MZMfs+TFFQHVA=
X-Sasl-enc: rST2rXGlKkbERY23MN0uoinF96VEzR6veTZvgQQCYqXb 1394541713
Received: from [192.168.1.4] (unknown [65.16.145.177]) by mail.messagingengine.com (Postfix) with ESMTPA id F08B46800CB; Tue, 11 Mar 2014 08:41:52 -0400 (EDT)
Message-ID: <531F0457.5030506@network-heretics.com>
Date: Tue, 11 Mar 2014 08:40:55 -0400
From: Keith Moore <moore@network-heretics.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: uta@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C711FB9AAD89@USMBX1.msg.corp.akamai.com> <8691BA706C9BAB52D64A8444@96B2F16665FF96BAE59E9B90> <00cd01cf3b05$4e5fa500$eb1eef00$@huitema.net> <531D60FC.2090604@cisco.com> <531D6338.7050505@network-heretics.com> <18E382E9817F03CAC7D0DB68@[192.168.15.107]> <01f201cf3d17$a4db2080$4001a8c0@gateway.2wire.net>
In-Reply-To: <01f201cf3d17$a4db2080$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/ZHvP59BrOgx_YYTZDYtpkC49CCA
Subject: Re: [Uta] What's the right thing to do about Port 465?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 12:42:12 -0000

On 03/11/2014 06:24 AM, t.p. wrote:
> In terms of getting from where we are to where we want to be, ports are
> realistically the only option, for anything that affects the end user
> with their PC.
>
> All the PCs I have had to configure have allowed me to put in a port of
> my choosing whereas if they were not shipped with a STARTTLS or SRV-ID
> option, then it is unlikely to happen soon (or ever).  Last I saw 20% of
> users accessing web sites were on Windows XP - out of currency 8th April
> 2014 - so anything requiring a software upgrade is likely to involve a
> migration lasting a decade.

I agree that we should expect a long-term migration before all users are 
safely out of the worst combinations of user-agent, configuration, 
TLS/SSL implementation, etc.   I don't think that should  change what we 
recommend as best or standard practice.  But we need to realize that 
both clients and servers that conform to the new standards will need to 
be configurable to interoperate with servers and clients (respectively) 
that are in use today, for many years to come.

For example, this means that servers that meet our recommendations are 
going to need to be configurable to support RC4, old versions of TLS, 
STARTTLS, deprecated/disfavored ports (if we decide that there are any), 
old certificate subject name conventions, and even cleartext, for some 
time.   And the situation is almost as bad for clients that meet our 
recommendations, but hopefully such clients will "latch" better 
capabilities as they become available, stop using these protocols and 
ciphersuites for existing configurations, and warn users about 
establishing new configurations that use them.

Keith

v2.23.0 | Report a Bug | By Email