On Thu, 24 Apr 2014 11:32:12 -0400, Phillip Hallam-Baker wrote: >... > >For me the idea of putting TLS traffic over the same port as non TLS >traffic without careful attention to how the upgrade is achieved would >be 'butchering the protocol'. Changing the port number to one that is >known to work is a cleaner approach. > >...
Agreed that TLS upgrade must be done carefully. Fortunately we have a number of protocools that have survived a TLS retrofit: IMAP, STMP, POP3, FTP, XMPP, LDAP, NNTP (according to http://en.wikipedia.org/wiki/STARTTLS). Several of these protocols are used over WANs, although I would guess DNS has far more frequent "help" from transparent middleboxes than they do, so YMMV. I think SMTP is a pretty compelling argument that the World May Not End to do STARTTLS, though. It is true that a new port "solves" the "oh noes, something changed and I, the firewall/middlebox, hate you" problem. However, it solves that by by turning it into the "oh noes, why should I, the firewall, ever open this new port for you". (As as been pointed out.) It seems like a trade-off about which pain one wants to endure. -John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
