On Thu, Aug 07, 2014 at 03:03:26PM +0000, Viktor Dukhovni wrote: > - You seem to want to ensure that opportunistic security should > avoid defending against active attacks, [Here "you" == Stephen K.] That's my take on Stephen's position. IIRC it derived from wanting no UI impact from OS. But DANE lets you securely discover that you can authenticate a service, authenticate it, and success/failure *is* the *only* UI needed in that case -- a UI that already exists. I.e., OS w/ DANE has no UI impact, and you can't fallback on unauthenticated encryption when the service can be authenticated. OS w/ DANE has no downgrade attacks. The only ways to make OS w/ DANE fail are: compromise a DNS registrar in the chain, compromise the service, compromise the crypto, or DoS. Heck, OS w/ TOFU/pinning has similar properties once the peer's keys are learned/pinned (and with all the security considerations of TOFU/pinning). DANE isn't the only option, but DNSSEC's secure NXDOMAIN functionality makes DANE >> TOFU/pinning. Therefore OS can provide more than unauthenticated encryption in some cases. Nico --