On Thu, 7 Aug 2014, Nico Williams wrote:
On Thu, Aug 07, 2014 at 03:03:26PM +0000, Viktor Dukhovni wrote:- Rene Struik is concerned that opportunistic security might lead to a reduction in protection against active attacks,I too had this concern. For me the key is that looking forward to a DANE-like world we get secure discovery of services' ability to authenticate. By "secure discovery" I mean: no downgrade attacks. Rene's concern however is partly about people getting a false sense of security and not bothering with anything else once they have unauthenticated encryption everywhere.
That is why FreeS/WAN did not do anonymous IPsec back in 1997. Boy I wish we had come to a different conclusions at the time. Today, it's only become more obvious that we need to do this, and yes not bother the user with a GUI if it is unauthenticated. Paul