On Thu, Aug 07, 2014 at 04:20:45PM -0400, Paul Wouters wrote: > >Rene's concern however is partly about people getting a false sense of > >security and not bothering with anything else once they have > >unauthenticated encryption everywhere. > > That is why FreeS/WAN did not do anonymous IPsec back in 1997. Boy I > wish we had come to a different conclusions at the time. Today, it's > only become more obvious that we need to do this, and yes not bother > the user with a GUI if it is unauthenticated. If the app/user would fallback to cleartext, then yes. (I also wish that Dan McDonald's IP_SEC_OPT socket option from back in 1996-ish -which much later inspired RFC5660- had gotten momentum then too. We wouldn't have to have TCP-layer crypto protocols now.) Nico --