[ietf-smtp] ALPN

Should we request a TLS ALPN identifier?

Current registry:
  
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids

Draft recommendation:

  draft-ietf-uta-rfc7525bis-01.txt
  - Section 5 "Applicability Statement" lists "SMTP traffic".
  - Section 3.8 "Application-Layer Protocol Negotiation" says that the TLS
    must support - but nothing is said about the application layer actually
    making use.



Implementing a defensive-only ALPN check (refusing a TLS startup, as
server, if anything but the obvious choice of "smtp" is offered as a
requested ALPN by the client) is not hard coding for either OpenSSL
or GnuTLS.  Locking out retries with downgrade to cleartext would be
more effort, but perhaps not relevant as a defence against the ALPACA
attack.

In client MTA mode I'd expect the coding to make an ALPN request to
be similarly simple. Administrative controls for 
non-use/offer/require-acceptance
would probably be more work than just the library interface.
--
Cheers,
  Jeremy

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp

<Prev in Thread]	Current Thread	[Next in Thread>
[ietf-smtp] ALPN, Jeremy Harris <= Re: [ietf-smtp] ALPN, John Levine Re: [ietf-smtp] ALPN, Viktor Dukhovni Re: [ietf-smtp] ALPN, Claus Assmann Re: [ietf-smtp] ALPN, John Levine Re: [ietf-smtp] ALPN, Alexey Melnikov Re: [ietf-smtp] ALPN, Jeremy Harris Re: [ietf-smtp] ALPN, Claus Assmann Re: [ietf-smtp] ALPN, John Levine Re: [ietf-smtp] ALPN, Claus Assmann Re: [ietf-smtp] ALPN, Arnt Gulbrandsen