[dane] Need better opportunistic terminology

Phillip Hallam-Baker <hallam@gmail.com> Thu, 06 March 2014 09:23 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FADB1A0178; Thu, 6 Mar 2014 01:23:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iw7TOtBtsx-y; Thu, 6 Mar 2014 01:23:28 -0800 (PST)
Received: from mail-la0-x230.google.com (mail-la0-x230.google.com [IPv6:2a00:1450:4010:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 871231A0189; Thu, 6 Mar 2014 01:23:27 -0800 (PST)
Received: by mail-la0-f48.google.com with SMTP id gf5so1549770lab.35 for <multiple recipients>; Thu, 06 Mar 2014 01:23:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=jFbYMBmDPSk/cZ2XQuBNbkpCX4E57uDJDRQ0ZYPC88Q=; b=LjYHQAuhDtE88s5DeVyawSu4O25lb5me/WBHvSSw5FTT4YM7M6/9ATqWVs7tty5DnO EPcmFKzGcolFSH2OXNdHT/SnklAr+MQZYRt5Nlg6VzmCCcM3XnlxKZjEGSQIq7+upObo 0jI8LXkNC2HhJ/9+XgcZ+NGno7BMRT2O7rygNe3ZDPlP3zYkMwV9o5NB17aOOEXfYXzZ W6FuyNHdhqgVQk3f1iPd5yVv8ryVsXFDNyAVXjh/Y0l5DexTV1dxB27Fg8cc3o1vKKzZ 4nYeOOob9zJ8zJtihCky4S58uqItJWb8tA6eyMKYLio1N59WgP/sIM7hG5W6wxUJkDtb nWuA==
MIME-Version: 1.0
X-Received: by 10.112.161.133 with SMTP id xs5mr723319lbb.51.1394097803060; Thu, 06 Mar 2014 01:23:23 -0800 (PST)
Received: by 10.112.37.168 with HTTP; Thu, 6 Mar 2014 01:23:23 -0800 (PST)
Date: Thu, 6 Mar 2014 09:23:23 +0000
Message-ID: <CAMm+LwjF9To+w3K4RR=72BbLNE2hJa9CibWOEARYmODiuFNu9g@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "saag@ietf.org" <saag@ietf.org>, "dane@ietf.org" <dane@ietf.org>
Content-Type: multipart/alternative; boundary=001a11c3c042556c1004f3ecb03d
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/wTsD-e1S-2-_ufP6NfNXyfj_rzk
Subject: [dane] Need better opportunistic terminology
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 09:23:31 -0000

The term opportunistic has become the new synonym for 'Good' but it is
being used for many different things.

A) Unauthenticated key exchange

B) Upgrade from plaintext to encrypted without controlling security policy
requiring use of encryption.

C) Silent-fail on bad credentials

D) Silent-success on bad credentials

There are arguments for all of these but I am just watching a presentation
on 'opportunistic encryption' in DANE and I think the term is selling DANE
short.

DNS is an authoritative path for statements about DNS labels. Ergo
authenticated DNS RRs are authenticated statements about them. DANE
provides authenticated statements about security policy and keys. Ergo DANE
cannot support opportunistic encryption because it is policy directed
encryption (i.e. better).



-- 
Website: http://hallambaker.com/