Re: [dane] [saag] Need better opportunistic terminology

Joe Touch <touch@isi.edu> Thu, 06 March 2014 17:05 UTC

Return-Path: <touch@isi.edu>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9315B1A0083; Thu, 6 Mar 2014 09:05:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.745
X-Spam-Level:
X-Spam-Status: No, score=-4.745 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9doIQzhl3oGy; Thu, 6 Mar 2014 09:05:21 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by ietfa.amsl.com (Postfix) with ESMTP id E1D441A01FB; Thu, 6 Mar 2014 09:05:18 -0800 (PST)
Received: from [192.168.1.97] (pool-71-105-87-112.lsanca.dsl-w.verizon.net [71.105.87.112]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id s26H3pcC028049 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 6 Mar 2014 09:04:01 -0800 (PST)
References: <CAMm+LwjF9To+w3K4RR=72BbLNE2hJa9CibWOEARYmODiuFNu9g@mail.gmail.com>
In-Reply-To: <CAMm+LwjF9To+w3K4RR=72BbLNE2hJa9CibWOEARYmODiuFNu9g@mail.gmail.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary=Apple-Mail-198B2FEE-28D9-4138-AC58-E3CF0FC363E1
Message-Id: <082D04F9-DBB4-4492-BE91-C4E3616AC24D@isi.edu>
X-Mailer: iPhone Mail (11B651)
From: Joe Touch <touch@isi.edu>
Date: Thu, 6 Mar 2014 09:03:52 -0800
To: Phillip Hallam-Baker <hallam@gmail.com>
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/CFBUYbaMAmBAickRj17qPXG-HRg
X-Mailman-Approved-At: Thu, 06 Mar 2014 10:06:20 -0800
Cc: "saag@ietf.org" <saag@ietf.org>, "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] [saag] Need better opportunistic terminology
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 17:05:23 -0000


> On Mar 6, 2014, at 1:23 AM, Phillip Hallam-Baker <hallam@gmail.com>; wrote:
> 
> The term opportunistic has become the new synonym for 'Good' but it is being used for many different things.
> 
> A) Unauthenticated key exchange

Fwiw, this is IMO an error since I first introduced BTNS, and I had to clear it up on Wikipedia multiple times. I see nothing opportunistic about this mode as a stand-alone concept. 

I personally don't this the term applies to the modes listed below either. 

One mode you didn't include - that I recall as one of tho first uses of the term opportunistic, and remains the only one I associate with the term. - is the use of a key before either the key or encryption in general has been negotiated and is not the protocol default. (I.e., a little like B but more just start using it then an 'upgrade'. )

Joe

> B) Upgrade from plaintext to encrypted without controlling security policy requiring use of encryption.
> 
> C) Silent-fail on bad credentials
> 
> D) Silent-success on bad credentials
> 
> There are arguments for all of these but I am just watching a presentation on 'opportunistic encryption' in DANE and I think the term is selling DANE short.
> 
> DNS is an authoritative path for statements about DNS labels. Ergo authenticated DNS RRs are authenticated statements about them. DANE provides authenticated statements about security policy and keys. Ergo DANE cannot support opportunistic encryption because it is policy directed encryption (i.e. better).
> 
> 
> 
> -- 
> Website: http://hallambaker.com/
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag