Re: [dane] [saag] Need better opportunistic terminology

Stephen Kent <> Tue, 11 March 2014 21:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 842BD1A063F; Tue, 11 Mar 2014 14:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.747
X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2gdfsCku1caT; Tue, 11 Mar 2014 14:53:33 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 77AC21A081F; Tue, 11 Mar 2014 14:53:31 -0700 (PDT)
Received: from ([]:49887) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1WNUc7-0007aT-Vo; Tue, 11 Mar 2014 17:53:32 -0400
Message-ID: <>
Date: Tue, 11 Mar 2014 17:53:25 -0400
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To:, saag <>
References: <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------070101090705030407040800"
Subject: Re: [dane] [saag] Need better opportunistic terminology
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Mar 2014 21:53:39 -0000


> On Mar 6, 2014, at 1:23 AM, Phillip Hallam-Baker < 
> <>> wrote:
>> The term opportunistic has become the new synonym for 'Good' but it 
>> is being used for many different things.
>> A) Unauthenticated key exchange
> Fwiw, this is IMO an error since I first introduced BTNS, and I had to 
> clear it up on Wikipedia multiple times. I see nothing opportunistic 
> about this mode as a stand-alone concept.
The original use of the term appears to be from RFC 4322, Micheal 
Richardson's document.
He describes how to use keys retrieved from the DNS with IPsec/IKE, 
without prior, bilateral
arrangements for access control, via the SPD. He defined OE that way, 
and noted that it was
not an unauthenticated mode of IPsec. I prefer that we stick with that 
definition of the term,
which is IPsec-specific. I have suggested "opportunistic keying" as a 
preferred term, since
its the key management, not the encryption per se, that distinguishes 
other proposed modes of
operation for IPsec, TLS, etc. The breakout group at the STRINT workshop 
that discussed terminology
suggested using the term noted above.