Re: [saag]: Review of: Opportunistic Security -03 preview for comment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 22, 2014 at 05:25:17AM +0000, l.wood@xxxxxxxxxxxx wrote:

> Okay, so with opportunistic security, all a man in the middle
> has to do is block any communications he can't decrypt, and it
> automatically downgrades to select something he can break?

And without OS, he need not do anything at all, because the vast
majority of the traffic is cleartext.  However OS can support
downgrade resistant modes of operation, given appropriately secure
out-of-band signalling, (possibly DANE/DNSSEC).

OS is not an effort to displace already working authenticated
encrypted traffic.  Rather, it is an effort to upgrade currently
unencrypted traffic to encryption or currently unauthenticated
traffic to authentication.

Hence, "Opportunistic TLS" with SMTP for the former, and "Opportunistic
DANE TLS" with the latter.

You can point fingers at the shabby clothing of the OS emperor,
but at least he's not naked.

--
	Viktor.





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]