Loading ...
Sorry, an error occurred while loading the content.

EFF STARTTLS Everywhere project

Expand Messages
  • Per Thorsheim
    I don t know if this list is aware of this project? https://github.com/EFForg/starttls-everywhere An intermediate effort before DNSSEC and DANE (hopefully)
    Message 1 of 8 , Jul 29, 2014
    • 0 Attachment
      I don't know if this list is aware of this project?
      https://github.com/EFForg/starttls-everywhere

      An intermediate effort before DNSSEC and DANE (hopefully) gets seriously
      deployed around the world and various TLDs. EFF will talk about this at
      PasswordsCon next week in Las Vegas, and I'll make references to this
      and DANE TLS in my talk at the DEFCON Crypto & Privacy Village. I'm very
      happy to see that these issues are gaining a lot of attention these days.

      Viktor: Is the IEEE meeting done yet? Any status update for DANE TLS?

      BR,
      Per Thorsheim
    • Viktor Dukhovni
      ... The EFF folks behind this effort have reached out to me and we ve discussed some of the issues. I am somewhat ambivalent about this, as it introduces a
      Message 2 of 8 , Jul 29, 2014
      • 0 Attachment
        On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote:

        > I don't know if this list is aware of this project?
        >
        > https://github.com/EFForg/starttls-everywhere

        The EFF folks behind this effort have reached out to me and we've
        discussed some of the issues. I am somewhat ambivalent about this,
        as it introduces a non-scalable registry that does fully address
        the problem, and perhaps reduces incentives to do it right and
        deploy DANE. On the other hand, DNSSEC adoption by large providers
        is a non-trivial effort, and they cannot yet deploy DANE as quickly
        as they may be able to sign up for the EFF registry. So I am not
        sure whether this is a step forward or sideways.

        > An intermediate effort before DNSSEC and DANE (hopefully) gets seriously
        > deployed around the world and various TLDs. EFF will talk about this at
        > PasswordsCon next week in Las Vegas, and I'll make references to this
        > and DANE TLS in my talk at the DEFCON Crypto & Privacy Village. I'm very
        > happy to see that these issues are gaining a lot of attention these days.
        >
        > Viktor: Is the IEEE meeting done yet? Any status update for DANE TLS?

        I think you mean IETF (not IEEE). Yes IETF Toronto is done, and
        the SMTP draft is basically ready and has not been changed in many
        weeks. The main hold-up is that the WG chairs wanted to publish
        the SMTP and SRV drafts together, but the latter is substantially
        less ready. Perhaps I should ask the chairs to decouple these.

        The Toronto meeting was looking at the OPS draft which updates DANE
        TLSA in general (not SMTP specific).

        The only issue in the SMTP draft that may require final review by
        the DANE WG is digest agility, I'll post a message to the list
        this week, now that everyone is back from Toronto, and try to
        wrap it up.

        In the mean-time Patrick Koetter et. al. are doing great work in
        Germany getting more organizations to deploy DANE. So far:

        posteo.de (email provider)
        mailbox.org (email provider)
        bund.de (German Parliament)

        and more on the way...

        --
        Viktor.
      • Per Thorsheim
        ... Hm. Yeah, I get your point, and I agree with you. I look forward to talk to them directly, and will ask them more about the reasoning behind the project,
        Message 3 of 8 , Jul 29, 2014
        • 0 Attachment
          Den 29.07.2014 16:14, skrev Viktor Dukhovni:
          > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote:
          >
          >> I don't know if this list is aware of this project?
          >>
          >> https://github.com/EFForg/starttls-everywhere
          >
          > The EFF folks behind this effort have reached out to me and we've
          > discussed some of the issues. I am somewhat ambivalent about this,
          > as it introduces a non-scalable registry that does fully address
          > the problem, and perhaps reduces incentives to do it right and
          > deploy DANE. On the other hand, DNSSEC adoption by large providers
          > is a non-trivial effort, and they cannot yet deploy DANE as quickly
          > as they may be able to sign up for the EFF registry. So I am not
          > sure whether this is a step forward or sideways.

          Hm. Yeah, I get your point, and I agree with you. I look forward to talk
          to them directly, and will ask them more about the reasoning behind the
          project, and how they intend to proceed having it deployed.

          >> An intermediate effort before DNSSEC and DANE (hopefully) gets seriously
          >> deployed around the world and various TLDs. EFF will talk about this at
          >> PasswordsCon next week in Las Vegas, and I'll make references to this
          >> and DANE TLS in my talk at the DEFCON Crypto & Privacy Village. I'm very
          >> happy to see that these issues are gaining a lot of attention these days.
          >>
          >> Viktor: Is the IEEE meeting done yet? Any status update for DANE TLS?
          >
          > I think you mean IETF (not IEEE). Yes IETF Toronto is done, and
          > the SMTP draft is basically ready and has not been changed in many
          > weeks. The main hold-up is that the WG chairs wanted to publish
          > the SMTP and SRV drafts together, but the latter is substantially
          > less ready. Perhaps I should ask the chairs to decouple these.
          >
          > The Toronto meeting was looking at the OPS draft which updates DANE
          > TLSA in general (not SMTP specific).
          >
          > The only issue in the SMTP draft that may require final review by
          > the DANE WG is digest agility, I'll post a message to the list
          > this week, now that everyone is back from Toronto, and try to
          > wrap it up.

          Excellent, thx! I'll make sure to include it in my reference list for my
          talks. Look forward to see it finalized.

          > In the mean-time Patrick Koetter et. al. are doing great work in
          > Germany getting more organizations to deploy DANE. So far:
          >
          > posteo.de (email provider)
          > mailbox.org (email provider)
          > bund.de (German Parliament)

          This is very good, and can without doubt be communicated to the ACLU and
          EFF as well as others, to further improve deployment rates. I'll mention
          these as well, and make sure it reaches ACLU & EFF. I'm also working
          towards Norwegian government who is evaluating if they should recommend
          all parts of Norwegian government to implement STARTTLS support, as step
          1 towards something much better.

          Thx Viktor!

          BR,
          Per
        • Patrick Ben Koetter
          ... For the books: sys4 did not enable bund.de. But we helped to spread the news. More German ISPs coming soon... p@rick -- [*] sys4 AG https://sys4.de, +49
          Message 4 of 8 , Jul 29, 2014
          • 0 Attachment
            * Viktor Dukhovni <postfix-users@...>:
            > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote:
            >
            > > I don't know if this list is aware of this project?
            > >
            > > https://github.com/EFForg/starttls-everywhere
            >
            > The EFF folks behind this effort have reached out to me and we've
            > discussed some of the issues. I am somewhat ambivalent about this,
            > as it introduces a non-scalable registry that does fully address
            > the problem, and perhaps reduces incentives to do it right and
            > deploy DANE. On the other hand, DNSSEC adoption by large providers
            > is a non-trivial effort, and they cannot yet deploy DANE as quickly
            > as they may be able to sign up for the EFF registry. So I am not
            > sure whether this is a step forward or sideways.
            >
            > > An intermediate effort before DNSSEC and DANE (hopefully) gets seriously
            > > deployed around the world and various TLDs. EFF will talk about this at
            > > PasswordsCon next week in Las Vegas, and I'll make references to this
            > > and DANE TLS in my talk at the DEFCON Crypto & Privacy Village. I'm very
            > > happy to see that these issues are gaining a lot of attention these days.
            > >
            > > Viktor: Is the IEEE meeting done yet? Any status update for DANE TLS?
            >
            > I think you mean IETF (not IEEE). Yes IETF Toronto is done, and
            > the SMTP draft is basically ready and has not been changed in many
            > weeks. The main hold-up is that the WG chairs wanted to publish
            > the SMTP and SRV drafts together, but the latter is substantially
            > less ready. Perhaps I should ask the chairs to decouple these.
            >
            > The Toronto meeting was looking at the OPS draft which updates DANE
            > TLSA in general (not SMTP specific).
            >
            > The only issue in the SMTP draft that may require final review by
            > the DANE WG is digest agility, I'll post a message to the list
            > this week, now that everyone is back from Toronto, and try to
            > wrap it up.
            >
            > In the mean-time Patrick Koetter et. al. are doing great work in
            > Germany getting more organizations to deploy DANE. So far:
            >
            > posteo.de (email provider)
            > mailbox.org (email provider)
            > bund.de (German Parliament)

            For the books: sys4 did not enable bund.de. But we helped to spread the news.
            More German ISPs coming soon...

            p@rick

            --
            [*] sys4 AG

            https://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Florian Kirstein
          • Patrick Ben Koetter
            ... Oh, and we didn t enable mailbox.org either. Heinlein did that. It s their product. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64
            Message 5 of 8 , Jul 29, 2014
            • 0 Attachment
              * Patrick Ben Koetter <postfix-users@...>:
              > * Viktor Dukhovni <postfix-users@...>:
              > > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote:
              > >
              > > > I don't know if this list is aware of this project?
              > > >
              > > > https://github.com/EFForg/starttls-everywhere
              > >
              > > The EFF folks behind this effort have reached out to me and we've
              > > discussed some of the issues. I am somewhat ambivalent about this,
              > > as it introduces a non-scalable registry that does fully address
              > > the problem, and perhaps reduces incentives to do it right and
              > > deploy DANE. On the other hand, DNSSEC adoption by large providers
              > > is a non-trivial effort, and they cannot yet deploy DANE as quickly
              > > as they may be able to sign up for the EFF registry. So I am not
              > > sure whether this is a step forward or sideways.
              > >
              > > > An intermediate effort before DNSSEC and DANE (hopefully) gets seriously
              > > > deployed around the world and various TLDs. EFF will talk about this at
              > > > PasswordsCon next week in Las Vegas, and I'll make references to this
              > > > and DANE TLS in my talk at the DEFCON Crypto & Privacy Village. I'm very
              > > > happy to see that these issues are gaining a lot of attention these days.
              > > >
              > > > Viktor: Is the IEEE meeting done yet? Any status update for DANE TLS?
              > >
              > > I think you mean IETF (not IEEE). Yes IETF Toronto is done, and
              > > the SMTP draft is basically ready and has not been changed in many
              > > weeks. The main hold-up is that the WG chairs wanted to publish
              > > the SMTP and SRV drafts together, but the latter is substantially
              > > less ready. Perhaps I should ask the chairs to decouple these.
              > >
              > > The Toronto meeting was looking at the OPS draft which updates DANE
              > > TLSA in general (not SMTP specific).
              > >
              > > The only issue in the SMTP draft that may require final review by
              > > the DANE WG is digest agility, I'll post a message to the list
              > > this week, now that everyone is back from Toronto, and try to
              > > wrap it up.
              > >
              > > In the mean-time Patrick Koetter et. al. are doing great work in
              > > Germany getting more organizations to deploy DANE. So far:
              > >
              > > posteo.de (email provider)
              > > mailbox.org (email provider)
              > > bund.de (German Parliament)
              >
              > For the books: sys4 did not enable bund.de. But we helped to spread the news.
              > More German ISPs coming soon...

              Oh, and we didn't enable mailbox.org either. Heinlein did that. It's their
              product.

              p@rick

              --
              [*] sys4 AG

              https://sys4.de, +49 (89) 30 90 46 64
              Franziskanerstraße 15, 81669 München

              Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
              Vorstand: Patrick Ben Koetter, Marc Schiffbauer
              Aufsichtsratsvorsitzender: Florian Kirstein
            • Robert Schetterer
              ... Hi Viktor, perhaps silly question, i sometimes asked myself why not use something like advanced SPF with i.e IN SPF v=spf1 mx ip4:1.2.3.4/24
              Message 6 of 8 , Jul 29, 2014
              • 0 Attachment
                Am 29.07.2014 um 16:14 schrieb Viktor Dukhovni:
                > On Tue, Jul 29, 2014 at 03:57:24PM +0200, Per Thorsheim wrote:
                >
                >> I don't know if this list is aware of this project?
                >>
                >> https://github.com/EFForg/starttls-everywhere
                >
                > The EFF folks behind this effort have reached out to me and we've
                > discussed some of the issues. I am somewhat ambivalent about this,
                > as it introduces a non-scalable registry that does fully address
                > the problem, and perhaps reduces incentives to do it right and
                > deploy DANE. On the other hand, DNSSEC adoption by large providers
                > is a non-trivial effort, and they cannot yet deploy DANE as quickly
                > as they may be able to sign up for the EFF registry. So I am not
                > sure whether this is a step forward or sideways.

                Hi Viktor, perhaps silly question, i sometimes asked myself why not use
                something like advanced SPF with i.e

                IN SPF "v=spf1 mx ip4:1.2.3.4/24
                TLSPOLICY:require-valid-certificate -all"

                etc as tmp solution



                >
                >> An intermediate effort before DNSSEC and DANE (hopefully) gets seriously
                >> deployed around the world and various TLDs. EFF will talk about this at
                >> PasswordsCon next week in Las Vegas, and I'll make references to this
                >> and DANE TLS in my talk at the DEFCON Crypto & Privacy Village. I'm very
                >> happy to see that these issues are gaining a lot of attention these days.
                >>
                >> Viktor: Is the IEEE meeting done yet? Any status update for DANE TLS?
                >
                > I think you mean IETF (not IEEE). Yes IETF Toronto is done, and
                > the SMTP draft is basically ready and has not been changed in many
                > weeks. The main hold-up is that the WG chairs wanted to publish
                > the SMTP and SRV drafts together, but the latter is substantially
                > less ready. Perhaps I should ask the chairs to decouple these.
                >
                > The Toronto meeting was looking at the OPS draft which updates DANE
                > TLSA in general (not SMTP specific).
                >
                > The only issue in the SMTP draft that may require final review by
                > the DANE WG is digest agility, I'll post a message to the list
                > this week, now that everyone is back from Toronto, and try to
                > wrap it up.
                >
                > In the mean-time Patrick Koetter et. al. are doing great work in
                > Germany getting more organizations to deploy DANE. So far:
                >
                > posteo.de (email provider)
                > mailbox.org (email provider)
                > bund.de (German Parliament)
                >
                > and more on the way...
                >



                Best Regards
                MfG Robert Schetterer

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Florian Kirstein
              • Viktor Dukhovni
                ... Well SPF records are for policy applied by receiving systems to sending systems, while the problem at hand is TLS policy that sending systems should apply
                Message 7 of 8 , Jul 29, 2014
                • 0 Attachment
                  On Tue, Jul 29, 2014 at 05:10:25PM +0200, Robert Schetterer wrote:

                  > Hi Viktor, perhaps silly question, I sometimes asked myself why not use
                  > something like advanced SPF with i.e
                  >
                  > IN SPF "v=spf1 mx ip4:1.2.3.4/24
                  > TLSPOLICY:require-valid-certificate -all"

                  Well SPF records are for policy applied by receiving systems to
                  sending systems, while the problem at hand is TLS policy that
                  sending systems should apply to receiving systems. So SPF is
                  the wrong place to publish the information.

                  Generalizing your suggestion to some other DNS record, if it is
                  not DNSSEC protected (including verified non-existence), then
                  it serves no purpose since an active attacker can suppress such
                  a record. To thwart passive attacks, just STARTTLS is enough.

                  Thus DANE, which provides a downgrade-resistant signal of TLS
                  support, and also publishes the requisite certificate or public
                  key fingerprints to resist TLS MiTM attacks.

                  You're re-inventing DANE... The key observation is that DNS
                  policy records that are not DNSSEC validated don't add any
                  value in terms of MiTM resistance.

                  The EFF registry presumably publishes the data over a "secure
                  channel" (https, presumably via a sensibly chosen CA), and once
                  Postfix policy tables are generated from this data, active attacks
                  are difficult.

                  --
                  Viktor.
                • Robert Schetterer
                  ... OK ... makes sense ... Agree, thx for making this clear ! I am working on enable DNSSEC and DANE here. Best Regards MfG Robert Schetterer -- [*] sys4 AG
                  Message 8 of 8 , Jul 29, 2014
                  • 0 Attachment
                    Am 29.07.2014 um 17:23 schrieb Viktor Dukhovni:
                    > On Tue, Jul 29, 2014 at 05:10:25PM +0200, Robert Schetterer wrote:
                    >
                    >> Hi Viktor, perhaps silly question, I sometimes asked myself why not use
                    >> something like advanced SPF with i.e
                    >>
                    >> IN SPF "v=spf1 mx ip4:1.2.3.4/24
                    >> TLSPOLICY:require-valid-certificate -all"
                    >
                    > Well SPF records are for policy applied by receiving systems to
                    > sending systems, while the problem at hand is TLS policy that
                    > sending systems should apply to receiving systems. So SPF is
                    > the wrong place to publish the information.

                    OK

                    >
                    > Generalizing your suggestion to some other DNS record, if it is
                    > not DNSSEC protected (including verified non-existence), then
                    > it serves no purpose since an active attacker can suppress such
                    > a record. To thwart passive attacks, just STARTTLS is enough.

                    makes sense

                    >
                    > Thus DANE, which provides a downgrade-resistant signal of TLS
                    > support, and also publishes the requisite certificate or public
                    > key fingerprints to resist TLS MiTM attacks.
                    >
                    > You're re-inventing DANE... The key observation is that DNS
                    > policy records that are not DNSSEC validated don't add any
                    > value in terms of MiTM resistance.
                    >
                    > The EFF registry presumably publishes the data over a "secure
                    > channel" (https, presumably via a sensibly chosen CA), and once
                    > Postfix policy tables are generated from this data, active attacks
                    > are difficult.
                    >

                    Agree, thx for making this clear !
                    I am working on enable DNSSEC and DANE here.


                    Best Regards
                    MfG Robert Schetterer

                    --
                    [*] sys4 AG

                    http://sys4.de, +49 (89) 30 90 46 64
                    Franziskanerstraße 15, 81669 München

                    Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                    Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                    Aufsichtsratsvorsitzender: Florian Kirstein
                  Your message has been successfully submitted and would be delivered to recipients shortly.