ietf
[Top] [All Lists]

Re: [saag] Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC

2014-08-05 22:01:47
On 8/5/2014 7:55 PM, Viktor Dukhovni wrote:
We'll have to disagree on this.  From the perspective of an MTA
delivering mail to all possible domains, its security policy is
opportunistic, doing the best it can with each destination.  When
DANE support is enabled, it becomes possible to authenticate some
peers, this is still opportunistic security, with the bar set to
the right level for each peer, and mail delivery in cleartext should
a previously DANE-enabled domain withdraw its TLSA RRs, ...


I've read the above several times but do not really understand what it
means.

Also the issue is not whether we agree  but what the technical details
are that qualify this as "opportunistic" rather than authenticated
encryption that happens to use DNSSec as a form of CA.

For a term to be useful, there must be a clear and consistent way of
applying it.

The exchange we are having right now makes the meaning -- and therefore
utility -- of opportunisitc (foo) -- questionable.  It is simply not
useful to have such a basic assessment reduce to "we'll have to disagree"...

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

<Prev in Thread] Current Thread [Next in Thread>