ietf
[Top] [All Lists]

Re: IETF mail server and SSLv3

2016-02-21 11:08:35

On Feb 8, 2016, at 8:35 AM, ned+ietf(_at_)mauve(_dot_)mrochek(_dot_)com wrote:


On Jan 26, 2016, at 1:16 PM, Jari Arkko 
<jari(_dot_)arkko(_at_)piuha(_dot_)net> wrote:

Tom, Phillip,

Impressive? Not much. If anything, I feel a bit
embarrassed that we are updating our servers
only now :-)

This really was just an IETF service announcement.
The tools team felt that if we are making changes
we should announce them rather than surprise
anybody. We plan to announce similar other things
as well, when there are changes. And I certainly
believe this particular change was a technically
reasonable thing to do.

We do of course have other things to discuss —
how much the IETF is doing for improving email
security in the Internet, and what can be done to
it to begin with. But that is a broader topic that
IMO, doesn’t have much to do with what specific
arrangements we have for our own e-mail
server (and at a particular layer of that server,
even).  Phillip’s questions are very rasonable
in that broader topic, however.

and supposedly that's on the table now?
would be good to hear what's the plan here.

Well, let's see. We have the UTA WG, which among other things is reworking 
the standards having to do with email's use of TLS. 

We have the DMARC WG, which is addressing various issues surrounding the use 
of DMARC, including but not limited to trying to solve the DMARC-list 
interaction problem.

The DANE WG is working on one draft on using secure DNS for S/MIME
certificates, another on using DANE to associate PGP keys with email
addresses. And historically has done a bunch of work on SMTP security
using DANE.

There are regular discussion of various email security issues - far too many
to list here - on the ietf-smtp, perpass, and appsawg lists. And there
are probably other lists I'm forgetting about.

In summary, a lot of work has been done, and a lot more work is underway.

But none of this seems especially relevant in this context, so this is all
I'm going to say about it.

                              Ned

apology for my slowness in responding to email.  thanks for the enumeration of 
ongoing effort, and I agree that none of this seems especially relevant, as my 
earlier question was specifically asking a plan to address Phillip's comment in 
his first reply to the SSLv3 announcement:

There has probably been no idea more damaging to the security of the
Internet than the idea that end-to-end is the only way to do security.

Email is an intrinsically store and forward system. Every network mail
system has had at least three parties and Internet mail has had a four
corner model since the early 90s.

I'd also add that this issue is not limited to just email (a cisco forecast 
claims that "Sixty-two percent of all Internet traffic will cross content 
delivery networks by 2019 globally", note that today's CDN traffic is not 
limited to videos, but includes other more critical contents).  
Lets recognize the fact that "Internet achieves end-to-end security by 
end-to-end encrypted channel" is an illusion, as data is not delivered through 
an end-to-end connection in many cases today, and it is likely to become more 
so with more mobiles and DTN-style apps. 

Lixia


<Prev in Thread] Current Thread [Next in Thread>