ietf
[Top] [All Lists]

Re: [saag] Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC

2014-08-06 20:34:36
On Wed, Aug 06, 2014 at 09:23:02PM -0400, Paul Wouters wrote:

To be more specific OS must not preclude things like DANE that can be
opportunistic and provide strong authentication.

Do no forget that during the saag discussion that preceded this
draft, this was one of the main differences between our views, and
that I do not subscribe to the view that opportunistic security is
a narrow response to PM or that it should be limited to promoting
just unauthenticated encryption.

More than that: why should OS stop there?

Aren't these two comments of contradicting? First you say authenticated
encryption is not opportunistic security,  then you say that OS should
be more then just unauthenticated encryption and should not stop there?

No contradiction.  Neither Nico, nor the draft state the authenticated
encryption is mutually exclusive with opportunistic security.  Both
in fact say the opposite.  However, an indiscriminate static policy
that applies a fixed authenticated security policy to all peers
regardless of capabilities (and fails when the peer does not measure
up, even though there no reason to expect that the peer could be
authenticated, other than said static policy) is not opportunistic.

    * Fixed high bar:

        not opportunistic security

    * Variable bar, set high for peers that securely publish requisite 
capabilities,
      and lower for peers that don't, possibly even allowing cleartext, or at 
least
      unauthenticated encryption:

        opportunistic security.

The two approaches can coexist, when an organization has high value
business relationships with select peers, and wants guaranteed
protection for traffic with them, but to promote as secure as
possible communication with the rest of the planet, is more liberal
(opportunistic) in its default communications policy.

-- 
        Viktor.

<Prev in Thread] Current Thread [Next in Thread>