On 8/5/2014 8:14 PM, Scott Kitterman wrote: > It seems to me that all it means is that the MTA is taking the opportunity to > make the most secure connection it can on a peer basis. Sometime that's going > to be a full DANE negotiated session protected by DNSSEC. Other times it's > not. I think the major point of opportunistic isn't how good the resulting > security is, but the idea of taking advantage of the best option available on > a per peer basis rather than treating it as all or nothing. That looks like quite a good paragraph to me. I understand it, and it describes something meaningful... and distinctive from current approaches to use of encryption. Focusing on a "framework that permits decreasing levels of encryption protection" or similar language resonates with what I've been reading about this opportunistic thing. (My own view is that cleartext has no place within that hierarchy, so some sort of minimum encryption needs to be described. > On 8/5/2014 8:16 PM, Viktor Dukhovni wrote: > DANE with authentication can be either opportunistic (enabled via >> discovery on a peer by peer basis) or mandatory (required by local >> policy, URI scheme, ...). Postfix for example supports both >> opportunistic and mandatory DANE TLS: Sorry, but I don't understand how "enabled via discovery on a peer by peer basis" is any different from use of StartTLS. That sort of confusion should not be prompted by 'definition' of such a basic term. So while Scott's paragraph enjoys wonderfulness, what you are saying still doesn't make much sense to me. Worse, I fear that language of the sort you are using will prove not very useful to the community. d/ -- -- Dave Crocker Brandenburg InternetWorking bbiw.net