On 8/5/2014 7:55 PM, Viktor Dukhovni wrote: > We'll have to disagree on this. From the perspective of an MTA > delivering mail to all possible domains, its security policy is > opportunistic, doing the best it can with each destination. When > DANE support is enabled, it becomes possible to authenticate some > peers, this is still opportunistic security, with the bar set to > the right level for each peer, and mail delivery in cleartext should > a previously DANE-enabled domain withdraw its TLSA RRs, ... I've read the above several times but do not really understand what it means. Also the issue is not whether we agree but what the technical details are that qualify this as "opportunistic" rather than authenticated encryption that happens to use DNSSec as a form of CA. For a term to be useful, there must be a clear and consistent way of applying it. The exchange we are having right now makes the meaning -- and therefore utility -- of opportunisitc (foo) -- questionable. It is simply not useful to have such a basic assessment reduce to "we'll have to disagree"... d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net