On Thu, Aug 07, 2014 at 03:03:26PM +0000, Viktor Dukhovni wrote: > - Rene Struik is concerned that opportunistic security might > lead to a reduction in protection against active attacks, I too had this concern. For me the key is that looking forward to a DANE-like world we get secure discovery of services' ability to authenticate. By "secure discovery" I mean: no downgrade attacks. Rene's concern however is partly about people getting a false sense of security and not bothering with anything else once they have unauthenticated encryption everywhere. However, I think DANE is much more likely to gain momentum than people are to think they have security against active attacks without it. Nico --