On 5/12/16 6:48 AM, John R Levine wrote: > >>> We really need a threat model beyond "someone might be spying on me." >> >> Sorry, but I completely disagree. Because "someone" *is* spying on >> all of us! It's called full-take and they do it in real-time. Have >> you been reading the news since June 2013? > > Of course there's lots of spying, but I hope we all remember the maxim > never to attribute to evil what can be explained by incompetence. For > every TLS session broken by malicious spying, there will be many more > broken by misconfigured TLS in the MTA, or a firewall in the wrong > place, or any of the other reasons we all know. The sooner people can > start collecting info about the failures, the sooner they can start > fixing the screwups that cause them.
Incompetence will show up consistently and therefore can be detected by a considerably simpler mechanism: a testing site, like Qualys SSL Labs. I see that there is a checktls.com that does exactly this. Incompetent email operators will probably not implement reporting anyway. Reporting is, however, useful for detecting TLS breakages that don't consistently show up, which are much more likely to be caused by, as you put it, "evil". -Jim _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
