[Cryptography] Certificates and PKI

Viktor Dukhovni cryptography at dukhovni.org
Sun Dec 28 10:13:20 EST 2014

On Sat, Dec 27, 2014 at 01:17:56PM -0700, Tony Arcieri wrote:

> On Sat, Dec 27, 2014 at 1:05 PM, Paul Wouters <paul at cypherpunks.ca> wrote:
> > See also http://en.wikipedia.org/wiki/Opportunistic_encryption
> >
> I'm confused what point you're trying to make. Everything I read there
> corroborates the definition I was using, specifically "fallback to
> unencrypted communications".

"Fallback" is not a core part of the Opportunistic Security
definition.  In fact fallback is to be avoided in design and/or
deployment unless fielded systems exhibit significant obstacles to
sticking to encryption when advertised.

For example, Sendmail does not do STARTTLS fallback, if a peer
promises STARTTLS Sendmail will not employ cleartext.  While Postfix
does fallback now (reverts to cleartext when the TLS handshake
fails), this will become configurable in a year or so.

Of course negotiation of STARTTLS is not MiTM resistant without
a secure channel for signalling.  So SMTP with DANE can provide
reasonably comprehensive protection, while opportunistic TLS
alone is still vulnerable to active attacks, no surprise there.


More information about the cryptography mailing list