Re: [dane] [saag] Need better opportunistic terminology
Joe Touch <touch@isi.edu> Wed, 12 March 2014 16:50 UTC
Return-Path: <touch@isi.edu>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 921031A0745; Wed, 12 Mar 2014 09:50:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NxeLdIbM9Oo; Wed, 12 Mar 2014 09:50:40 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id 339ED1A0829; Wed, 12 Mar 2014 09:50:18 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s2CGnGDf017693 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 12 Mar 2014 09:49:18 -0700 (PDT)
Message-ID: <5320900C.2030007@isi.edu>
Date: Wed, 12 Mar 2014 09:49:16 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, dane@ietf.org, saag <saag@ietf.org>
References: <CAMm+LwjF9To+w3K4RR=72BbLNE2hJa9CibWOEARYmODiuFNu9g@mail.gmail.com> <082D04F9-DBB4-4492-BE91-C4E3616AC24D@isi.edu> <531F85D5.2070209@bbn.com> <531F8A53.1040103@isi.edu> <53206293.8020907@bbn.com>
In-Reply-To: <53206293.8020907@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ek3TiH8G3O9956lrQoyztQdB6CY
Subject: Re: [dane] [saag] Need better opportunistic terminology
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 16:50:45 -0000
Steve (et al.), On 3/12/2014 6:35 AM, Stephen Kent wrote: > Joe, > >> ... >>> with that definition of the term, which is IPsec-specific. >> >> I'm not quite sure what term or what definition you're referring to: >> OE, anonymous encryption, or unauthenticated key exchange. Can you >> clarify? > > OE. I argue that OE is defined only for IPsec, because the definition > focuses on how to > avoid the need to coordinate SPD entries at each end. Agreed. >>> I have >>> suggested "opportunistic keying" as a preferred term, since its the >>> key management, not the encryption per se, that distinguishes other >>> proposed modes of operation for IPsec, TLS, etc. >> >> I agree if you're replacing OE with OK ;-) > > yeah, I like OK (and I like IKE too, for those of us old enough to > appreciate that election slogan) I'm still a little hesitant, thinking on it further, about the term "opportunistic" in this sense at all. BTNS uses unsigned key exchanged, and there's nothing "opportunistic" about it. Unsigned authentication is the goal from the start. OE as defined in RFC 4322 isn't about using unsigned key exchange; the "opportunistic" sense is derived from using keys retrieved from DNS without prior agreement. That's not what happens in BTNS. Paul just noted: "Opportunistic keying does provide authentication, it's just that the authentication is only to the public key and is not tightly bound to any other type of identification (address, name, etc.)" I.e., fundamentally, opportunistic approaches are completely different from those that don't ever bother to authenticate. I don't think it's useful (and could be confusing) to confuse the two by overlapping terminology. I don't like the term "optimistic" either; it too implies something that you "hope works". There's no "hope" associated with unsigned key exchange; you do it (IMO) because you know what it is and you know its impact (e.g., raising the bar of an attacker to performing a full key exchange, vs. just tossing single packets like RSTs around). Is there a reason not to just call unauthenticated key exchange what it is - unauthenticated key exchange? If you want something pithy, maybe "Zero-ID security"? >> The breakout group at the STRINT workshop that discussed terminology >>> suggested using the term noted above. >> >> Sorry, but to clarify, which term? > > OK vs. OE. Thanks for the clarification. Joe
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- [dane] Need better opportunistic terminology Phillip Hallam-Baker
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- Re: [dane] Need better opportunistic terminology Michael Richardson
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Peter Palfrader
- Re: [dane] [saag] Need better opportunistic termi… Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Paul Lambert
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] Need better opportunistic terminology Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Nico Williams
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Viktor Dukhovni
- Re: [dane] [saag] Need better opportunistic termi… Phillip Hallam-Baker
- Re: [dane] [saag] Need better opportunistic termi… Derek Atkins
- Re: [dane] [saag] Need better opportunistic termi… Paul Lambert
- Re: [dane] [saag] Need better opportunistic termi… Derek Atkins
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Nico Williams
- Re: [dane] [saag] Need better opportunistic termi… Olle E. Johansson
- Re: [dane] [saag] Need better opportunistic termi… Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch