IETF Logo Mail Archive

Re: [Uta] Opportunistic encryption and authentication agility

Eliot Lear <lear@cisco.com> Sun, 23 March 2014 23:00 UTC

Return-Path: <lear@cisco.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1173C1A6EE1 for <uta@ietfa.amsl.com>; Sun, 23 Mar 2014 16:00:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSkVtTyWGJWm for <uta@ietfa.amsl.com>; Sun, 23 Mar 2014 16:00:31 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id EF5641A0A71 for <uta@ietf.org>; Sun, 23 Mar 2014 16:00:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1542; q=dns/txt; s=iport; t=1395615630; x=1396825230; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=WdbdFz42SrktS9+X2jZ2PzD1kWjKOLg3guQDX9ZfEgQ=; b=QlQZuVN0zZ7pqw9g7Vpl61eDC/Y3CgoqSehnsu0F63YNizHECFLmNwa7 IHPc1JeVMXWRodmrm8ugn5LBcy7pIfqYs91s/G/CzbsRG8qyO7AMtYtBC hCcd6R2X3PZgkZFsXQzuZbTwb9mOML88FsOqO+cUp14if6HGEBvkN9+sk U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiAFAEBnL1OrRDoJ/2dsb2JhbABZgwaEGb9rgRAWdIIlAQEBBCNVARALGAICBRYLAgIJAwIBAgFFBgEMAQUCAQGHdKtJoW4XgSmMbxACAU8Hgm+BSQEDiVCOepIxgzowgS4k
X-IronPort-AV: E=Sophos;i="4.97,716,1389744000"; d="scan'208";a="106267668"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-3.cisco.com with ESMTP; 23 Mar 2014 23:00:29 +0000
Received: from ELEAR-M-C3ZS.CISCO.COM (sjc-vpn3-309.cisco.com [10.21.65.53]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s2NN0QFN015976; Sun, 23 Mar 2014 23:00:27 GMT
Message-ID: <532F678A.2090404@cisco.com>
Date: Mon, 24 Mar 2014 07:00:26 +0800
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Michael Richardson <mcr+ietf@sandelman.ca>, Keith Moore <moore@network-heretics.com>
References: <CAGZ8ZG0rBxiE2dGZXhpvhKiyJOu=6Bn8sQ2seJ9_KvgPjmaaRg@mail.gmail.com> <532CFAB0.4070301@network-heretics.com> <10492.1395613933@sandelman.ca>
In-Reply-To: <10492.1395613933@sandelman.ca>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/fV4wzvs_KmowNZxo-YI3RXgyjuU
Cc: Trevor Perrin <trevp@trevp.net>, "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] Opportunistic encryption and authentication agility
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Mar 2014 23:00:33 -0000

Hi Michael,

On 3/24/14, 6:32 AM, Michael Richardson wrote:
> Keith Moore <moore@network-heretics.com> wrote:
>     > Note that as far as I can tell, it will still be possible to implement a
>     > client that supports only OE; it just doesn't bother verifying the cert /
>     > DNSSEC + TLSA record / pinned key / whatever.    Whether that client will
>     > conform to the recommendations that this group produces, is a different
>     > question.   But offhand I don't know of a way to keep such clients from
>     > working (though for new protocols, it might be nice if there were one).
>
> Well, that's not really correct advice.
> The correct advice is that:
>    If the client is unable to verify the cert via (some set of methods,
>    locally determined), that it treats the connection as if it was
>    unencrypted, according the same level of (un)privileges.

Perhaps I misread Keith's note, but I didn't take it as advice.  Rather
he's assessing the current situation. 

Your advice seems reasonably applicable for mail, at least at first
blush.  But different protocols have different anticipated environments,
and I took Trevor's email Keith's replies to be more general
statements.  My favorite example going the other way is SCIM, where you
would have to be crazy not to fully validate both ends.  I don't know if
it's in the UTA charter, but we discussed developing a general guidance
document in the STRINT workshop to at least help sort out the classes of
(at least envisaged) use.

Eliot

v2.23.0 | Report a Bug | By Email