On Tue, Jul 08, 2014 at 08:09:40AM -0700, The IESG wrote: > The IESG has received a request from an individual submitter to consider > the following document: > - 'Opportunistic Security: some protection most of the time' > <draft-dukhovni-opportunistic-security-01.txt> as Informational RFC No objections from me. I think some examples would help convey the meaning of opportunistic security to many reviewers. In particular I think it needs to be made clear (and examples would do it) that when a "security floor" can be securely discovered, then OS cannot result in less security than that floor. The obvious example is DANE: because DNSSEC provides secure NXDOMAIN results, it's possible to securely discover a service's ability to authenticate, and then authenticate it that way, resulting in no less security than that. Other examples include TOFU/LoF/pinning. Note that any security considerations regarding use of DANE are really just DANE's security considerations. Concerns about MITM attacks by [compromised] registrars belong in DANE's security considerations, though I don't object to their being mentioned in Viktor's I-D. Nico --