Re: [dane] [saag] Need better opportunistic terminology

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 12 March 2014 21:13 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C17D81A074A; Wed, 12 Mar 2014 14:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.019
X-Spam-Level: *
X-Spam-Status: No, score=1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_SOFTFAIL=0.665, T_TVD_MIME_NO_HEADERS=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPZLHmmq7GAv; Wed, 12 Mar 2014 14:13:49 -0700 (PDT)
Received: from tuna.sandelman.ca (unknown [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) by ietfa.amsl.com (Postfix) with ESMTP id 9C75B1A0644; Wed, 12 Mar 2014 14:13:44 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 552012002F; Wed, 12 Mar 2014 18:32:38 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 67DFF647C9; Wed, 12 Mar 2014 17:13:38 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 5585C647C8; Wed, 12 Mar 2014 17:13:38 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <5320C932.3010107@cs.tcd.ie>
References: <CAMm+LwjF9To+w3K4RR=72BbLNE2hJa9CibWOEARYmODiuFNu9g@mail.gmail.com> <082D04F9-DBB4-4492-BE91-C4E3616AC24D@isi.edu> <531F85D5.2070209@bbn.com> <531F8A53.1040103@isi.edu> <531F8E5F.8030705@isi.edu> <20140312062756.GN11878@anguilla.noreply.org> <3454.1394657237@sandelman.ca> <5320C932.3010107@cs.tcd.ie>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Wed, 12 Mar 2014 17:13:38 -0400
Message-ID: <10021.1394658818@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/XDJE4Qru7X36QbR01haZG5M2Qdg
Cc: Peter Palfrader <peter@palfrader.org>, saag <saag@ietf.org>, dane@ietf.org
Subject: Re: [dane] [saag] Need better opportunistic terminology
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 21:13:50 -0000

Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
    > On 03/12/2014 08:47 PM, Michael Richardson wrote:
    >> The part that we are all discussing is determining how (much) to
    >> trust the DH results.

    > I don't think that's a very accurate characterisation
    > to be honest.

    > I think the most relevant (but intertwined) factors are:

    > - trading off ease of deployment vs. endpoint authentication
    > - trading off protection against passive vs active attack
    > - better separating key exchange from endpoint authentication
    > so that traditional authentication or TOFU or whatever can
    > be used before during or after key exchange

But, you made my point.

While the end user sees the overall benefit is:
      my traffic can not seen

The problems and challenges that we have are not in how or even when to
apply AES, it's how/when to do the DH.

To the end user, having the word "encryption" in the terminology is useful
because it tells them why they should pay attention to it.

To us, it's a red-herring, because it's not where the issue is.
You listed the issues.

(BTW: my TLA cache is failing on "TOFU")

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting for hire =-