Re: Review of: Opportunistic Security -03 preview for comment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hatless...

On 8/15/14 3:26 PM, Dave Crocker wrote:
On 8/15/2014 1:15 PM, Paul Wouters wrote:

The draft's definition of opportunism is "encrypt where possible, even
without authentication, but mandate authenticated encryption when
advertised".
It does not say the first part, though that language looks quite good to me.

The second part isn't opportunisticx.  If authenticated is mandated,
there is nothing to be opportunistic about.  If mandated is included in
opportunistic, then there is no actual meaning to the term other than
something trivial like "we like encryption".

Disagree. Paul's definition still missed a bit, and I think it was the word "mandate" that confused things.

Opportunism here is to take the opportunity to do the *best* encryption you can do. If the other end advertises authenticated encryption, you take the opportunity to do authenticated encryption. If that's unavailable but you can do unauthenticated encryption, that's the best you can do and you opportunistically do that. The difference from the past is that you don't simply give up on encryption if you can't do authenticated strong encryption; you opportunistically use whatever encryption you are able to.

My definition:

      Opportunism is the flexibility to use less-stringent protection,
hen stronger protection is not possible.

Using less-stringent protection when stronger protection is not available is not an "opportunity". It's a compromise. The opportunity is to go *up* from what you currently do, not to go down from what you might have done had circumstances been different.

pr

--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]