Re: [dane] [saag] Need better opportunistic terminology
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 12 March 2014 17:04 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D2081A048A; Wed, 12 Mar 2014 10:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDkYb5asc69J; Wed, 12 Mar 2014 10:04:07 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 5F7B81A0381; Wed, 12 Mar 2014 10:04:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 05402BE54; Wed, 12 Mar 2014 17:04:01 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kz4QkdFcQMq; Wed, 12 Mar 2014 17:04:00 +0000 (GMT)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id CF68BBE56; Wed, 12 Mar 2014 17:04:00 +0000 (GMT)
Message-ID: <53209382.3070809@cs.tcd.ie>
Date: Wed, 12 Mar 2014 17:04:02 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Joe Touch <touch@isi.edu>, Stephen Kent <kent@bbn.com>, dane@ietf.org, saag <saag@ietf.org>
References: <CAMm+LwjF9To+w3K4RR=72BbLNE2hJa9CibWOEARYmODiuFNu9g@mail.gmail.com> <082D04F9-DBB4-4492-BE91-C4E3616AC24D@isi.edu> <531F85D5.2070209@bbn.com> <531F8A53.1040103@isi.edu> <53206293.8020907@bbn.com> <5320900C.2030007@isi.edu>
In-Reply-To: <5320900C.2030007@isi.edu>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/pSd7zkKDeaBU-OKr-mxl-kP99BQ
Subject: Re: [dane] [saag] Need better opportunistic terminology
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 17:04:15 -0000
(again, I'd suggest one list for this if we can and the UTA wg list, but hopefully that'll settle down when there's an I-D, and since I'm not the boss of us anyway...:-) On 03/12/2014 04:49 PM, Joe Touch wrote: > Steve (et al.), > > On 3/12/2014 6:35 AM, Stephen Kent wrote: >> Joe, >> >>> ... >>>> with that definition of the term, which is IPsec-specific. >>> >>> I'm not quite sure what term or what definition you're referring to: >>> OE, anonymous encryption, or unauthenticated key exchange. Can you >>> clarify? >> >> OE. I argue that OE is defined only for IPsec, because the definition >> focuses on how to >> avoid the need to coordinate SPD entries at each end. > > Agreed. > >>>> I have >>>> suggested "opportunistic keying" as a preferred term, since its the >>>> key management, not the encryption per se, that distinguishes other >>>> proposed modes of operation for IPsec, TLS, etc. >>> >>> I agree if you're replacing OE with OK ;-) >> >> yeah, I like OK (and I like IKE too, for those of us old enough to >> appreciate that election slogan) > > I'm still a little hesitant, thinking on it further, about the term > "opportunistic" in this sense at all. I do think we want to define that term even if we do not want to encourage its use. It is being used and with subtly different meanings by different folks. > > BTNS uses unsigned key exchanged, and there's nothing "opportunistic" > about it. Unsigned authentication is the goal from the start. > > OE as defined in RFC 4322 isn't about using unsigned key exchange; the > "opportunistic" sense is derived from using keys retrieved from DNS > without prior agreement. That's not what happens in BTNS. > > Paul just noted: > "Opportunistic keying does provide authentication, it's just that > the authentication is only to the public key and is not > tightly bound to any other type of identification (address, name, etc.)" > > I.e., fundamentally, opportunistic approaches are completely different > from those that don't ever bother to authenticate. I don't think it's > useful (and could be confusing) to confuse the two by overlapping > terminology. > > I don't like the term "optimistic" either; it too implies something that > you "hope works". There's no "hope" associated with unsigned key > exchange; you do it (IMO) because you know what it is and you know its > impact (e.g., raising the bar of an attacker to performing a full key > exchange, vs. just tossing single packets like RSTs around). > > Is there a reason not to just call unauthenticated key exchange what it > is - unauthenticated key exchange? Yes. "authenticated encryption" is a term of art (AEAD etc) and this would be confusingly close - it'd be inevitable that some would end up saying unauthenticated encryption and thereby would confuse the real crypto folks. I like the OK term myself and would be happy if we landed on encouraging its use, based on a good definition. But I'm fine if we end up calling it squiggle, so long as we all end up calling the same "it" that. > > If you want something pithy, maybe "Zero-ID security"? Too close to zero-touch (which is not ad-hominem, but is a term being used in netconf - Joe you just *have* to get involved in that:-) S. > >>> The breakout group at the STRINT workshop that discussed terminology >>>> suggested using the term noted above. >>> >>> Sorry, but to clarify, which term? >> >> OK vs. OE. > > Thanks for the clarification. > > Joe > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > >
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- [dane] Need better opportunistic terminology Phillip Hallam-Baker
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- Re: [dane] Need better opportunistic terminology Michael Richardson
- Re: [dane] Need better opportunistic terminology Viktor Dukhovni
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Peter Palfrader
- Re: [dane] [saag] Need better opportunistic termi… Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Paul Lambert
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] Need better opportunistic terminology Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Nico Williams
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Michael Richardson
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Stephen Kent
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch
- Re: [dane] [saag] Need better opportunistic termi… Viktor Dukhovni
- Re: [dane] [saag] Need better opportunistic termi… Phillip Hallam-Baker
- Re: [dane] [saag] Need better opportunistic termi… Derek Atkins
- Re: [dane] [saag] Need better opportunistic termi… Paul Lambert
- Re: [dane] [saag] Need better opportunistic termi… Derek Atkins
- Re: [dane] [saag] Need better opportunistic termi… Stephen Farrell
- Re: [dane] [saag] Need better opportunistic termi… Nico Williams
- Re: [dane] [saag] Need better opportunistic termi… Olle E. Johansson
- Re: [dane] [saag] Need better opportunistic termi… Tony Finch
- Re: [dane] [saag] Need better opportunistic termi… Joe Touch