On 8/5/2014 2:04 PM, Nico Williams wrote: > To be more specific OS must not preclude things like DANE that can be > opportunistic and provide strong authentication. A reference like that has been made several times, and I don't understand it. DANE provides authenticated keys. Given the reliance on DNSSec, the authentication is substantial. So while use of DANE has some interesting differences from using a classic CA-based key, using it as a basis for encryption ought to qualify as fairly straightforward authenticated encryption. That doesn't seem at all 'opportunistic' to me. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net