ietf
[Top] [All Lists]

Re: [saag] Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC

2014-08-05 20:07:55
On 8/5/2014 2:04 PM, Nico Williams wrote:
To be more specific OS must not preclude things like DANE that can be
opportunistic and provide strong authentication.


A reference like that has been made several times, and I don't
understand it.

DANE provides authenticated keys.   Given the reliance on DNSSec, the
authentication is substantial.

So while use of DANE has some interesting differences from using a
classic CA-based key, using it as a basis for encryption ought to
qualify as fairly straightforward authenticated encryption.

That doesn't seem at all 'opportunistic' to me.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

<Prev in Thread] Current Thread [Next in Thread>