On Tue, Jul 08, 2014 at 08:09:40AM -0700, The IESG wrote:
The IESG has received a request from an individual submitter to consider
the following document:
- 'Opportunistic Security: some protection most of the time'
<draft-dukhovni-opportunistic-security-01.txt> as Informational RFC
No objections from me.
I think some examples would help convey the meaning of opportunistic
security to many reviewers.
In particular I think it needs to be made clear (and examples would do
it) that when a "security floor" can be securely discovered, then OS cannot
result in less security than that floor. The obvious example is DANE:
because DNSSEC provides secure NXDOMAIN results, it's possible to
securely discover a service's ability to authenticate, and then
authenticate it that way, resulting in no less security than that.
Other examples include TOFU/LoF/pinning.
Note that any security considerations regarding use of DANE are really
just DANE's security considerations. Concerns about MITM attacks by
[compromised] registrars belong in DANE's security considerations,
though I don't object to their being mentioned in Viktor's I-D.
Nico
--