On Thu, Aug 07, 2014 at 04:20:45PM -0400, Paul Wouters wrote:
Rene's concern however is partly about people getting a false sense of
security and not bothering with anything else once they have
unauthenticated encryption everywhere.
That is why FreeS/WAN did not do anonymous IPsec back in 1997. Boy I
wish we had come to a different conclusions at the time. Today, it's
only become more obvious that we need to do this, and yes not bother
the user with a GUI if it is unauthenticated.
If the app/user would fallback to cleartext, then yes.
(I also wish that Dan McDonald's IP_SEC_OPT socket option from back in
1996-ish -which much later inspired RFC5660- had gotten momentum then
too. We wouldn't have to have TCP-layer crypto protocols now.)
Nico
--