On Tue, Aug 05, 2014 at 11:14:27PM -0400, Scott Kitterman wrote:
For a term to be useful, there must be a clear and consistent way of
applying it.
The exchange we are having right now makes the meaning -- and therefore
utility -- of opportunistic (foo) -- questionable. It is simply not
useful to have such a basic assessment reduce to "we'll have to disagree"...
It seems to me that all it means is that the MTA is taking the opportunity
to make the most secure connection it can on a peer basis. Sometimes that's
going to be a full DANE negotiated session protected by DNSSEC. Other
times it's not. I think the major point of opportunistic isn't how good
the resulting security is, but the idea of taking advantage of the best
option available on a per peer basis rather than treating it as all or
nothing.
Exactly.
Opportunistic security operates at a variable protection level,
not fixed by a-priori policy. Rather, it is tuned to the apparent
capabilities of the peer. Some appearances are not downgrade
resistant (enabling active downgrade attacks), and some don't
reflect reality (breaking interoperability when the peer promises
more than it can deliver).
--
Viktor.