On Tue, Aug 05, 2014 at 11:14:27PM -0400, Scott Kitterman wrote: > > For a term to be useful, there must be a clear and consistent way of > > applying it. > > > > The exchange we are having right now makes the meaning -- and therefore > > utility -- of opportunistic (foo) -- questionable. It is simply not > > useful to have such a basic assessment reduce to "we'll have to disagree"... > > It seems to me that all it means is that the MTA is taking the opportunity > to make the most secure connection it can on a peer basis. Sometimes that's > going to be a full DANE negotiated session protected by DNSSEC. Other > times it's not. I think the major point of opportunistic isn't how good > the resulting security is, but the idea of taking advantage of the best > option available on a per peer basis rather than treating it as all or > nothing. Exactly. Opportunistic security operates at a variable protection level, not fixed by a-priori policy. Rather, it is tuned to the apparent capabilities of the peer. Some appearances are not downgrade resistant (enabling active downgrade attacks), and some don't reflect reality (breaking interoperability when the peer promises more than it can deliver). -- Viktor.