On 8/5/2014 2:04 PM, Nico Williams wrote:
To be more specific OS must not preclude things like DANE that can be
opportunistic and provide strong authentication.
A reference like that has been made several times, and I don't
understand it.
DANE provides authenticated keys. Given the reliance on DNSSec, the
authentication is substantial.
So while use of DANE has some interesting differences from using a
classic CA-based key, using it as a basis for encryption ought to
qualify as fairly straightforward authenticated encryption.
That doesn't seem at all 'opportunistic' to me.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net