Re: [dane] [saag] Need better opportunistic terminology

"Olle E. Johansson" <> Thu, 13 March 2014 07:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 353321A094F; Thu, 13 Mar 2014 00:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aHR9EsNpaNBL; Thu, 13 Mar 2014 00:59:22 -0700 (PDT)
Received: from ( [IPv6:2a02:920:212e::205]) by (Postfix) with ESMTP id C6F4B1A094E; Thu, 13 Mar 2014 00:59:21 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPA id 6195793C2A2; Thu, 13 Mar 2014 07:59:13 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: "Olle E. Johansson" <>
In-Reply-To: <>
Date: Thu, 13 Mar 2014 08:59:12 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Derek Atkins <>
X-Mailer: Apple Mail (2.1874)
Cc:, saag <>, Joe Touch <>
Subject: Re: [dane] [saag] Need better opportunistic terminology
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Mar 2014 07:59:24 -0000

On 12 Mar 2014, at 21:02, Derek Atkins <> wrote:

> Joe Touch <> writes:
>> Why not just use the term "unauthenticated encryption", when that's
>> exactly what's happening?
> Well, it's not necessarily what's happening.  The data itself might
> still have "integrity protection" (which is a form of authentication.
> You're just not authenticating the endpoint, which means you could be
> subject to a MitM attack.  Alternate terms could be "Unauthenticated
> Keying" or "Unauthenticated Key Exchange" which are closer (IMHO) to
> what's going on.

To get any movement in this area among developers and sysadmins, 
we need a language that any sysadmin or developer understands. 
I believe we can easily get them to understand "Opportunistic encryption"
but if we go into explaining "keying" or "key exchange" they will be lost in 
the OpenSSL documentation maze again.

We might have to separate a "marketing name" of the overall concept
from a set of technical definitions we can refer to when explaining this in
RFCs. For me, I can happily accept using OE as the unclear marketing
bullshit term for a set of solutions that set up an encrypted communication
channel - regardless of URI or configuration, without any indication to
the user in the phone UI or browser UI - no locks!

I can understand that this may be hard to accept in a technical community, but
we have a huge educational effort ahead of us in order to get this done.
The general concept has to be easy to explain.

In summary, I propose that we keep OE as the overall term and define
a set of more precise terminology to explain what goes on in the background.
As Victor pointed out, there may be different solutions in different

As a side note:

Use the term "best-effort TLS" to describe that a SIP ua is perfectly
allowed to set up a TLS session based on policy regardless if there
is a "sips:" URI. I don't know where that terminalogy came from. It's
always used with quotation marks in the RFC. This "best-effort TLS"
still requires verification of the certificate though.