On Sat, Aug 16, 2014 at 4:19 PM, Nico Williams
<nico(_at_)cryptonector(_dot_)com> wrote:
On Sat, Aug 16, 2014 at 04:48:54AM +0000, Viktor Dukhovni wrote:
Perhaps I should expand the example section to explain opportunistic
DANE TLS for SMTP (even if that spec is still some weeks from LC),
not just opportunistic TLS. Then people might have a better
understanding of how opportunistic authentication works with DANE,
and should work generally. I don't want the draft to over-emphasize
DANE, it not just about DANE, but leaving out that example may have
resulted in text that is a too abstract.
For me DANE is the critical piece to understanding how the OS protocol
design pattern can raise the floor without lowering the ceiling and
without encouraging a general reduction of security against active
attacks. The key lies in DNSSEC's authenticated non-existence
functionality.
???
DANE isn't opportunistic security. It is authenticated security policy
and keys. Thats the opposite of opportunistic.