On Sat, Aug 16, 2014 at 04:48:54AM +0000, Viktor Dukhovni wrote: > Except that it is different. There is no need to make a big "your > security may be degraded" fuss when doing better than expected. > However, when failing to achieve a security goal, and settling for > less, applications have tended to put up all sorts of warnings, > fussy dialogues, ... And are often unwilling to do less that the > maximum, and simply fail. > > The change of perspective is crucial to making progress. Cleartext > is the baseline, not comprehensive protection. You don't fall back > from comprehensive protection, when it is does not work out, ... > You do better than the baseline when that is possible, and just > works, without disrupting communication in the absence of an attack. Yes. This. It would be good to have something which states this explicitly in the introduction of the I-D. A careful reader can infer this, but I think it's good to state this explicitly. Something else that I think would be good to include in the introduction is as we improve from cleartext to "authenticated, encrypted, and protected against passive and active active attacks", that the way station of "protected only against passive attackers" is a _still_ better than just staying at cleartext. The second paragraph of the abstract: This document promotes designs in which cryptographic protection against both passive and active attacks can be rolled out incrementally as new systems are deployed, without creating barriers to communication. ... seemes to emphasize more the concept of "some of the time" and doesn't spell out that the rollout might include protection against passive attacks only as being (a) within the scope of this document, and (b) desirable if the alternative is cleartext. > This is a design guide (manifesto), not not a protocol specification, > and setting things in the right perspective matters. Something that might be useful along this front, if we can find an appropriate reference, is the (possibly apocryphal, or maybe the authorative source is classified, perhaps out of embarassment? :-) story about air force pilots who would deliberately disable their fancy NSA-provided crypto gear because in a combat situation, when friendly fire can really ruin your day (or not getting support to ground forces who were using an incompatible crypto system), communicating in the clear is far more important than not communicating at all.... - Ted