On Fri, Aug 15, 2014 at 04:29:12PM -0400, Paul Wouters wrote: > >Let's talk about the substance of the draft. > > This draft proposes encryption in the possible absence of > authentication. No, this draft proposes encryption in the presence of peer encryption support, and authentication in the presence of peer authentication support as determined via suitable peer signalling mechanisms. > While I can call it privacy or encryption, > I have a very hard time calling it security. Opportunistic DANE TLS for SMTP is security, but is only comprehensive when the SMTP server publishes DNSSEC validated and MX RRs and associated TLSA RRs for the MX hosts. It is an example of OS. Opportunistic (non-DANE) TLS (as in the draft's example section) for SMTP is also security. It is security against passive attacks, that is, for a different threat model. Both are OS, but the draft promotes designs that can do both comprehensive (passive and active) and partial (passive-only) channel security. > On top of that, > we all know we would have called ie opportunistic encryption > if that term had not been picked already. I would have objected regardless. Opportunistic security is a better match than OE for the content of the draft. I would not have objected to Opportunistic Cryptosecurity, but it is not a compelling improvement. -- Viktor.