Re: [dane] [saag] Need better opportunistic terminology

[Joe Touch <touch@isi.edu>]

> On Mar 6, 2014, at 1:23 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> 
> The term opportunistic has become the new synonym for 'Good' but it is being used for many different things.
> 
> A) Unauthenticated key exchange

Fwiw, this is IMO an error since I first introduced BTNS, and I had to clear it up on Wikipedia multiple times. I see nothing opportunistic about this mode as a stand-alone concept. 

I personally don't this the term applies to the modes listed below either. 

One mode you didn't include - that I recall as one of tho first uses of the term opportunistic, and remains the only one I associate with the term. - is the use of a key before either the key or encryption in general has been negotiated and is not the protocol default. (I.e., a little like B but more just start using it then an 'upgrade'. )

Joe

> B) Upgrade from plaintext to encrypted without controlling security policy requiring use of encryption.
> 
> C) Silent-fail on bad credentials
> 
> D) Silent-success on bad credentials
> 
> There are arguments for all of these but I am just watching a presentation on 'opportunistic encryption' in DANE and I think the term is selling DANE short.
> 
> DNS is an authoritative path for statements about DNS labels. Ergo authenticated DNS RRs are authenticated statements about them. DANE provides authenticated statements about security policy and keys. Ergo DANE cannot support opportunistic encryption because it is policy directed encryption (i.e. better).
> 
> 
> 
> -- 
> Website: http://hallambaker.com/
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag