Hatless...
On 8/15/14 3:26 PM, Dave Crocker wrote:
On 8/15/2014 1:15 PM, Paul Wouters wrote:
The draft's definition of opportunism is "encrypt where possible, even
without authentication, but mandate authenticated encryption when
advertised".
It does not say the first part, though that language looks quite good to me.
The second part isn't opportunisticx. If authenticated is mandated,
there is nothing to be opportunistic about. If mandated is included in
opportunistic, then there is no actual meaning to the term other than
something trivial like "we like encryption".
Disagree. Paul's definition still missed a bit, and I think it was the
word "mandate" that confused things.
Opportunism here is to take the opportunity to do the *best* encryption
you can do. If the other end advertises authenticated encryption, you
take the opportunity to do authenticated encryption. If that's
unavailable but you can do unauthenticated encryption, that's the best
you can do and you opportunistically do that. The difference from the
past is that you don't simply give up on encryption if you can't do
authenticated strong encryption; you opportunistically use whatever
encryption you are able to.
My definition:
Opportunism is the flexibility to use less-stringent protection,
hen stronger protection is not possible.
Using less-stringent protection when stronger protection is not
available is not an "opportunity". It's a compromise. The opportunity is
to go *up* from what you currently do, not to go down from what you
might have done had circumstances been different.
pr
--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478