On Sat, 16 Aug 2014, Phillip Hallam-Baker wrote:
For me DANE is the critical piece to understanding how the OS protocol
design pattern can raise the floor without lowering the ceiling and
without encouraging a general reduction of security against active
attacks. The key lies in DNSSEC's authenticated non-existence
functionality.
???
DANE isn't opportunistic security. It is authenticated security policy
and keys. Thats the opposite of opportunistic.
And this is why OS is a bad term. People still don't see this new term
as meaning "do authenticated encryption protocols when possible, anonymous
encryption with fallback to clear if not".
Paul