Re: [saag] DANE should be more prominent (Re: Review of: Opportunistic Security -03 preview for comment)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ian,

On 20/08/2014 16:03 pm, Stephen Kent wrote:
Ben,

You noted my use of the phrase "Opportunistic Crypto-Secruity" instead
of "Opportunistic Secruity."
I made the change after someone else suggested it as a more precise
description of what we're
doing,
It's not more precise, it's either a distinction of no difference or a
mistake.
so says the man with how many RFCs and other publications to his credit?
What we are doing is Opportunistic Security.  That is, we are securing
the users' interests using an opportunistic approach.

We are then applying this approach to protocols.  Now, obviously, when
we are doing protocols, most security ends up being crypto in nature.
a lot of security is not at all crypto-based: non-Ipsec firewalls,
IDS's, ...
So in this sense of high-level viewpoint, the distinction is no
distinction, OS is crypto-security.
I agree that what we are discussing is crypto security.
I am not wedded to the OCS name alternative; I proposed OS
and someone else suggested OCS.
But, at a more detailed level, this simplification is reversed:
sometimes we come across a technique that isn't crypto-related.  For
example, TOFU.  This is based on the limited time/space window, the
knowledge of the human operators, and the economics of attacking every
possibility all the time.
TOFU is a key management mechanism, i.e., it is used to distribute a
public key, which is then cached along with the proffered ID. I'd
say that any key management mechanism is crypto-related.
TOFU is not crypto, yet it is OS.
TOFU is one key management mechanism that MAY be part of an OS solution.
DANE is another; unauthenticated Diffie-Hellman is another, ...
So, by saying crypto-security we are in danger of eliminating one of our
best and most successful techniques [0].  And, as we are talking
opportunistically, we indeed want to not be so prejudicial.  We'll take
a benefit where we find it.
we disagree on whether TOFU is crypto-related.
and because it has the advantage of being represented by an
acronym that isn't so common
(OCS vs. OS) in our arena.
yes.
Yeah, overloading is a nice to avoid, but not essential.  How about
opp-sec?  Of if someone points out a clash with operational security,
then oppo-sec.
opp-sec is not an acronym, so I don't see the parallel.

Steve





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]