Re: [dane] [saag] Need better opportunistic terminology

Joe Touch <> Tue, 11 March 2014 22:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8675F1A0823; Tue, 11 Mar 2014 15:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UaItCGUI0cLa; Tue, 11 Mar 2014 15:12:55 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9C7CA1A063F; Tue, 11 Mar 2014 15:12:55 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id s2BMCZWQ019124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 11 Mar 2014 15:12:35 -0700 (PDT)
Message-ID: <>
Date: Tue, 11 Mar 2014 15:12:35 -0700
From: Joe Touch <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Stephen Kent <>,, saag <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
Subject: Re: [dane] [saag] Need better opportunistic terminology
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Mar 2014 22:12:57 -0000

Hi, Steve,

On 3/11/2014 2:53 PM, Stephen Kent wrote:
> Joe,
>> On Mar 6, 2014, at 1:23 AM, Phillip Hallam-Baker <
>> <>> wrote:
>>> The term opportunistic has become the new synonym for 'Good' but it
>>> is being used for many different things.
>>> A) Unauthenticated key exchange
>> Fwiw, this is IMO an error since I first introduced BTNS, and I had to
>> clear it up on Wikipedia multiple times. I see nothing opportunistic
>> about this mode as a stand-alone concept.
> The original use of the termappears to be from RFC 4322, Micheal
> Richardson's document. He describes how to use keys retrieved from
> the DNS with IPsec/IKE, without prior, bilateral arrangements for
> access control, via the SPD. He defined OE that way, and noted that
> it was not an unauthenticated mode of IPsec.

RFC4322 defines OE.

Section 1.2 describes "anonymous encryption" which is basically 
unauthenticated key exchange.

 From later in that section:

    Although it is a useful mode, anonymous encryption is not the goal of
    this project.

Michael and I discussed the difference between the two (OE and anonymous 
encryption) on many occasions, and I don't think either of us ever 
confused the two (though someone who edited Wikipedia did once). The 
sentence above confirms that, AFAICT.

 > I prefer that we stick
> with that definition of the term, which is IPsec-specific.

I'm not quite sure what term or what definition you're referring to: OE, 
anonymous encryption, or unauthenticated key exchange. Can you clarify?

> I have
> suggested "opportunistic keying" as a preferred term, since its the
> key management, not the encryption per se, that distinguishes other
> proposed modes of operation for IPsec, TLS, etc.

I agree if you're replacing OE with OK ;-)

> The breakout group at the STRINT workshop that discussed terminology
> suggested using the term noted above.

Sorry, but to clarify, which term?