The idea seems to be that there is an append only log server that clients are gong to be checking. So we can use that to stuff security policy information into the system.
The problem is that the client only checks the CT logs in the normal case after it has decided to use TLS. So there is certainly a value in using an append only log to publish security policy data and in fact I do this in PPE. But it is only a solution to the downgrade attack problem with a lot of extra infrastructure. For example an Omnibroker scanning the CT log and using that to build the connection profile. On Tue, Feb 25, 2014 at 2:47 PM, Trevor Freeman < [email protected]> wrote: > I don't see the relevance of CT to opportunistic STARTTLS. > > Opportunistic STARTTLS is a feature of the sender whereby the sender picks > STARTTLS if offered, but otherwise will send the email. If the alternative > was send unprotected over plain TCP, you may as well negotiate TLS if > offered. Moreover, if TLS negotiation fails for whatever reason, the send > remembers the fact and done not attempt to negotiate next time. > > The sender does have a list of SMTP domains where it requires TLS > authentication, but that is mandatory STARTTLS. > > -----Original Message----- > From: Trans [mailto:[email protected]] On Behalf Of Paul Hoffman > Sent: Tuesday, February 25, 2014 9:54 AM > To: Ben Laurie > Cc: [email protected]; Daniel Kahn Gillmor > Subject: Re: [Trans] CT for opportunistic STARTTLS in SMTP > > On Feb 25, 2014, at 9:36 AM, Ben Laurie <[email protected]> wrote: > > >> At the earlier CT meeting, I think someone proposed that there could be > a check that the cert was in actual use at the place it said it was. > > > > That does not seem effective to me. > > It is more effective than doing nothing; it may not be effective enough to > prevent overwhelm by spam. I was just pointing it out as something that was > proposed, not well-thought-out. > > --Paul Hoffman > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > -- Website: http://hallambaker.com/
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
