Re: [dane] [saag] Need better opportunistic terminology

(again, I'd suggest one list for this if we can and the
UTA wg list, but hopefully that'll settle down when there's
an I-D, and since I'm not the boss of us anyway...:-)

On 03/12/2014 04:49 PM, Joe Touch wrote:
> Steve (et al.),
> 
> On 3/12/2014 6:35 AM, Stephen Kent wrote:
>> Joe,
>>
>>> ...
>>>> with that definition of the term, which is IPsec-specific.
>>>
>>> I'm not quite sure what term or what definition you're referring to:
>>> OE, anonymous encryption, or unauthenticated key exchange. Can you
>>> clarify?
>>
>> OE. I argue that OE is defined only for IPsec, because the definition
>> focuses on how to
>> avoid the need to coordinate SPD entries at each end.
> 
> Agreed.
> 
>>>> I have
>>>> suggested "opportunistic keying" as a preferred term, since its the
>>>> key management, not the encryption per se, that distinguishes other
>>>> proposed modes of operation for IPsec, TLS, etc.
>>>
>>> I agree if you're replacing OE with OK ;-)
>>
>> yeah, I like OK (and I like IKE too, for those of us old enough to
>> appreciate that election slogan)
> 
> I'm still a little hesitant, thinking on it further, about the term
> "opportunistic" in this sense at all.

I do think we want to define that term even if we do not
want to encourage its use. It is being used and with
subtly different meanings by different folks.

> 
> BTNS uses unsigned key exchanged, and there's nothing "opportunistic"
> about it. Unsigned authentication is the goal from the start.
> 
> OE as defined in RFC 4322 isn't about using unsigned key exchange; the
> "opportunistic" sense is derived from using keys retrieved from DNS
> without prior agreement. That's not what happens in BTNS.
> 
> Paul just noted:
> "Opportunistic keying does provide authentication, it's just that
> the authentication is only to the public key and is not
> tightly bound to any other type of identification (address, name, etc.)"
> 
> I.e., fundamentally, opportunistic approaches are completely different
> from those that don't ever bother to authenticate. I don't think it's
> useful (and could be confusing) to confuse the two by overlapping
> terminology.
> 
> I don't like the term "optimistic" either; it too implies something that
> you "hope works". There's no "hope" associated with unsigned key
> exchange; you do it (IMO) because you know what it is and you know its
> impact (e.g., raising the bar of an attacker to performing a full key
> exchange, vs. just tossing single packets like RSTs around).
> 
> Is there a reason not to just call unauthenticated key exchange what it
> is - unauthenticated key exchange?

Yes. "authenticated encryption" is a term of art (AEAD etc) and
this would be confusingly close - it'd be inevitable that some
would end up saying unauthenticated encryption and thereby would
confuse the real crypto folks.

I like the OK term myself and would be happy if we landed on
encouraging its use, based on a good definition.

But I'm fine if we end up calling it squiggle, so long as we
all end up calling the same "it" that.

> 
> If you want something pithy, maybe "Zero-ID security"?

Too close to zero-touch (which is not ad-hominem, but is
a term being used in netconf - Joe you just *have* to get
involved in that:-)

S.

> 
>>> The breakout group at the STRINT workshop that discussed terminology
>>>> suggested using the term noted above.
>>>
>>> Sorry, but to clarify, which term?
>>
>> OK vs. OE.
> 
> Thanks for the clarification.
> 
> Joe
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 
> 