Re: IETF opinion change on "implicit TLS" vs. StartTLS

2018-02-16 Thread Quanah Gibson-Mount 
--On Saturday, February 17, 2018 8:58 AM +1000 William Brown 
 wrote:



Personally, I'm all for it.  I'd suggest using the above RFC as a
template
for one formalizing port 636, so it's finally a documented standard.


Great! Where do we go from here to get this formalised properly?


IETF ldapext is the starting point, I'd assume?  Probably worthwhile to 
bring it up on that list?


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: IETF opinion change on "implicit TLS" vs. StartTLS

2018-02-16 Thread William Brown 
On Mon, 2018-02-12 at 18:10 -0800, Quanah Gibson-Mount wrote:
> --On Tuesday, February 13, 2018 9:31 AM +1000 William Brown 
>  wrote:
> 
> > On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:
> > > HI!
> > > 
> > > To me this rationale for SMTP submission with implicit TLS seems
> > > also
> > > applicable to LDAPS vs. StartTLS:
> > > 
> > > https://tools.ietf.org/html/rfc8314#appendix-A
> > > 
> > > So LDAPS should not be considered deprecated. Rather it should be
> > > recommended and the _optional_ use of StartTLS should be strongly
> > > discouraged.
> > 
> > Yes, I strongly agree with this. I have evidence to this fact and
> > can
> > provide it if required,
> 
> Personally, I'm all for it.  I'd suggest using the above RFC as a
> template 
> for one formalizing port 636, so it's finally a documented standard.

Great! Where do we go from here to get this formalised properly? 

> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by
> OpenLDAP:
> 
> 
-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane

Re: IETF opinion change on "implicit TLS" vs. StartTLS

2018-02-13 Thread Michael Ströder 
Dieter Klünter wrote:
> Am Mon, 12 Feb 2018 18:10:29 -0800
> schrieb Quanah Gibson-Mount :
> 
>> --On Tuesday, February 13, 2018 9:31 AM +1000 William Brown 
>>  wrote:
>>
>>> On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:  
 HI!

 To me this rationale for SMTP submission with implicit TLS seems
 also applicable to LDAPS vs. StartTLS:

 https://tools.ietf.org/html/rfc8314#appendix-A

 So LDAPS should not be considered deprecated. Rather it should be
 recommended and the _optional_ use of StartTLS should be strongly
 discouraged.  
>>>
>>> Yes, I strongly agree with this. I have evidence to this fact and
>>> can provide it if required,  
>>
>> Personally, I'm all for it.  I'd suggest using the above RFC as a
>> template for one formalizing port 636, so it's finally a documented
>> standard.
> 
> We have had discussed this topic some 10 years ago, at that time Kurt
> had some concerns with regard to ldaps and port 636. Unfortunately I
> can't remember details.

The above mentioned Appendix A references this section which summarizes
the concerns:

https://tools.ietf.org/html/rfc2595#section-7

IMO all these "issues" were even debatable at that time.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: IETF opinion change on "implicit TLS" vs. StartTLS

2018-02-13 Thread Dieter Klünter 
Am Mon, 12 Feb 2018 18:10:29 -0800
schrieb Quanah Gibson-Mount :

> --On Tuesday, February 13, 2018 9:31 AM +1000 William Brown 
>  wrote:
> 
> > On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:  
> >> HI!
> >>
> >> To me this rationale for SMTP submission with implicit TLS seems
> >> also applicable to LDAPS vs. StartTLS:
> >>
> >> https://tools.ietf.org/html/rfc8314#appendix-A
> >>
> >> So LDAPS should not be considered deprecated. Rather it should be
> >> recommended and the _optional_ use of StartTLS should be strongly
> >> discouraged.  
> >
> > Yes, I strongly agree with this. I have evidence to this fact and
> > can provide it if required,  
> 
> Personally, I'm all for it.  I'd suggest using the above RFC as a
> template for one formalizing port 636, so it's finally a documented
> standard.

We have had discussed this topic some 10 years ago, at that time Kurt
had some concerns with regard to ldaps and port 636. Unfortunately I
can't remember details.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: IETF opinion change on "implicit TLS" vs. StartTLS

2018-02-12 Thread Quanah Gibson-Mount 
--On Tuesday, February 13, 2018 9:31 AM +1000 William Brown 
 wrote:



On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:

HI!

To me this rationale for SMTP submission with implicit TLS seems also
applicable to LDAPS vs. StartTLS:

https://tools.ietf.org/html/rfc8314#appendix-A

So LDAPS should not be considered deprecated. Rather it should be
recommended and the _optional_ use of StartTLS should be strongly
discouraged.


Yes, I strongly agree with this. I have evidence to this fact and can
provide it if required,


Personally, I'm all for it.  I'd suggest using the above RFC as a template 
for one formalizing port 636, so it's finally a documented standard.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: IETF opinion change on "implicit TLS" vs. StartTLS

2018-02-12 Thread William Brown 
On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:
> HI!
> 
> To me this rationale for SMTP submission with implicit TLS seems also
> applicable to LDAPS vs. StartTLS:
> 
> https://tools.ietf.org/html/rfc8314#appendix-A
> 
> So LDAPS should not be considered deprecated. Rather it should be
> recommended and the _optional_ use of StartTLS should be strongly
> discouraged.

Yes, I strongly agree with this. I have evidence to this fact and can
provide it if required,



> 
> Ciao, Michael.
> 
-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane