[Cryptography] Certificates and PKI
Viktor Dukhovni
cryptography at dukhovni.org
Sun Dec 28 10:13:20 EST 2014
On Sat, Dec 27, 2014 at 01:17:56PM -0700, Tony Arcieri wrote:
> On Sat, Dec 27, 2014 at 1:05 PM, Paul Wouters <paul at cypherpunks.ca> wrote:
>
> > See also http://en.wikipedia.org/wiki/Opportunistic_encryption
> >
>
> I'm confused what point you're trying to make. Everything I read there
> corroborates the definition I was using, specifically "fallback to
> unencrypted communications".
>
"Fallback" is not a core part of the Opportunistic Security
definition. In fact fallback is to be avoided in design and/or
deployment unless fielded systems exhibit significant obstacles to
sticking to encryption when advertised.
For example, Sendmail does not do STARTTLS fallback, if a peer
promises STARTTLS Sendmail will not employ cleartext. While Postfix
does fallback now (reverts to cleartext when the TLS handshake
fails), this will become configurable in a year or so.
Of course negotiation of STARTTLS is not MiTM resistant without
a secure channel for signalling. So SMTP with DANE can provide
reasonably comprehensive protection, while opportunistic TLS
alone is still vulnerable to active attacks, no surprise there.
--
Viktor.
More information about the cryptography
mailing list