[Cryptography] IAB Statement on Internet Confidentiality

Viktor Dukhovni cryptography at dukhovni.org
Mon Nov 17 17:38:08 EST 2014

On Mon, Nov 17, 2014 at 02:57:31PM -0500, Jerry Leichter wrote:

> Given our recent experience with STARTTLS rollback by at least
> one ISP ... do we still feel so good about opportunistic encryption,
> at least defined in this way?

Yes, we feel good.  Opportunistic security is what you do when
you'd otherwise send in the clear.  It is not weaker than cleartext.

For some protocols (SMTP and XMPP at present), one can opportunistically
attain authenticated encryption via a downgrade-resistant channel
(DNSSEC + DANE), implementations are just starting to support this.

For other protocols we don't even have a specification yet.  This
takes time.  My curated list of SMTP with DANE domains has 372
domains.  It is early days yet.

I encourage the folks here to deploy DNSSEC and publish DANE TLSA
records for their MX hosts.  That said, better to not do it at all,
than do it wrong.  Make sure you're prepared to keep the DNSSEC
signatures and TLSA records correct, and that you understand key
rotation for both DNSSEC and TLSA.

The necessary invariants are:

    * Never have dangling DS RRs, each DS RR should always map
      to a DNSKEY in the zone, even when the DS RR is cached,
      so keep TTLs in mind.  [ Add DNSKEY RRs before adding DS.
      Remove DSs before removing DNSKEYs. ]

    * Never deploy server certificate chains that don't match
      some TLSA RR. [ Add TLSA RRs and wait a TTL or two, before
      changing the server chain. ]

For DNSSEC sanity checks,


For SMTP with TLSA sanity checks, stay tuned, new test site coming


More information about the cryptography mailing list