Re: [saag] Fwd: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC
Rene Struik <rstruik.ext@gmail.com> Fri, 11 July 2014 14:09 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADC411B2B06; Fri, 11 Jul 2014 07:09:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzqwurVxnefY; Fri, 11 Jul 2014 07:09:31 -0700 (PDT)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0DC91B2B1D; Fri, 11 Jul 2014 07:09:06 -0700 (PDT)
Received: by mail-ig0-f180.google.com with SMTP id l13so1016824iga.13 for <multiple recipients>; Fri, 11 Jul 2014 07:09:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=0fujVlMbsXz5EalpHWWMHSDAXF/KCjd2Spx5FQNSXjo=; b=y0IrWa81Xfs2NZaI2HHHArTxaKjUJQhxyOPjWp4lFn9dvLYtIgiUyeuTpOp7psP16O 07Fh6UAL7m5g5QdP5XPNnfq8oik5+s75mp/GB8vssXtxWy3IY94P12SUZz8TtKD6ocWx Q132pI7qOICqwP7fBv+NZJNqlkOJYel0wMAxFjzWEGRoDjuFxXOkL/yndazaCuFJY4E2 sqofmS0vuM2YiyZae/r4o2yYhXFHQhk0F2Q9lfoZrOPQ1h5KMZJw5cwaJw0lbyEEK9Bj iZJ90KG5YqEou68yC8FhxkOKt7OI3w9hAshWF3wLOUlUBr6ckjHpUjPE7SBqRI4HV72L l9vQ==
X-Received: by 10.42.202.14 with SMTP id fc14mr5042096icb.8.1405087746117; Fri, 11 Jul 2014 07:09:06 -0700 (PDT)
Received: from [192.168.1.103] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.3.110]) by mx.google.com with ESMTPSA id db12sm6268697igc.14.2014.07.11.07.09.05 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 11 Jul 2014 07:09:05 -0700 (PDT)
Message-ID: <53BFEFFB.80809@gmail.com>
Date: Fri, 11 Jul 2014 10:08:59 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "saag@ietf.org" <saag@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [saag] Fwd: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC
References: <20140708150940.1412.7682.idtracker@ietfa.amsl.com> <53BC0F94.8020608@cs.tcd.ie>
In-Reply-To: <53BC0F94.8020608@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/5VBuPY1iQpJqFbBn18-ZPsi4dyo
X-Mailman-Approved-At: Fri, 11 Jul 2014 08:34:24 -0700
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2014 14:09:33 -0000
Dear colleagues: One of my concerns with Optimistic Encryption is that it may have as side effect that it may be tempting for implementers to move from secure and authentic channel set-up to just encrypted (but unauthenticated) channels, since it - how convenient - removes the need for any admin... I can already see arguments about why one should spend money on authentication support if the attack window is so small, etc., akin to discussions I have seen rampant in industrial control settings, where some people have argued that communicating symmetric keys wirelessly over the air for bootstrapping is okay, "since nobody would listen in anyway". I think this is a major risk. If this "substitution risk" would materialize, we might actually lower the bar and set back the clock nearly 40 years, since realizing encrypted, unauthenticated channels already proposed in the 1976 paper on "New Directions in Cryptography". Shouldn't one at least add some more extensive verbiage about security policy enforcement? After all, reason to do authentication would be to have some evidence on the party one is communicating with and can then arrive at more fine-grained conclusions as to authorization and scope hereof, based on that evidence. The the day-to-day risk for security architectures may be increase of admin cost if there would ever be a lifecycle event after initial provisioning and where lack of authentication may really hurt. Rene On 7/8/2014 11:34 AM, Stephen Farrell wrote: > IETF LC started as promised. > > Cheers, > S. > > > -------- Original Message -------- > Subject: Last Call: <draft-dukhovni-opportunistic-security-01.txt> > (Opportunistic Security: some protection most of the time) to > Informational RFC > Date: Tue, 08 Jul 2014 08:09:40 -0700 > From: The IESG <iesg-secretary@ietf.org> > Reply-To: ietf@ietf.org > To: IETF-Announce <ietf-announce@ietf.org> > > > The IESG has received a request from an individual submitter to consider > the following document: > - 'Opportunistic Security: some protection most of the time' > <draft-dukhovni-opportunistic-security-01.txt> as Informational RFC > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2014-08-05. Exceptionally, comments may be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. > > Abstract > > > This memo defines the term "opportunistic security". In contrast to > the established approach of delivering strong protection some of the > time, opportunistic security strives to deliver at least some > protection most of the time. The primary goal is therefore broad > interoperability, with security policy tailored to the capabilities > of peer systems. > > > > > The file can be obtained via > http://datatracker.ietf.org/doc/draft-dukhovni-opportunistic-security/ > > IESG discussion can be tracked via > http://datatracker.ietf.org/doc/draft-dukhovni-opportunistic-security/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > This document and a predecessor have been the subject of discussion > on the saag mailing list. [1] > > [1] https://www.ietf.org/mail-archive/web/saag/current/maillist.html > > > > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Joe Touch
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Dave Crocker
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Stephen Farrell
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Joe Touch
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Joe Touch
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Michael Richardson
- Re: Last Call: <draft-dukhovni-opportunistic-secu… S Moonesamy
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Randy Bush
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Viktor Dukhovni
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Eliot Lear
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Stephen Farrell
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Murray S. Kucherawy
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Eliot Lear
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Stephen Farrell
- SMTP authentication (not soon) Viktor Dukhovni
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Sam Hartman
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Nico Williams
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Nico Williams
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Nico Williams
- Re: SMTP authentication (not soon) Niels Dettenbach
- Re: SMTP authentication (not soon) Phillip Hallam-Baker
- Re: SMTP authentication (not soon) Viktor Dukhovni
- Re: SMTP authentication (not soon) Stephen Farrell
- Re: SMTP authentication (not soon) ned+ietf
- Re: SMTP authentication (not soon) Dave Cridland
- Re: SMTP authentication (not soon) Viktor Dukhovni
- Re: SMTP authentication (not soon) Dave Cridland
- Re: SMTP authentication (not soon) Eliot Lear
- Re: SMTP authentication (not soon) Phillip Hallam-Baker
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Viktor Dukhovni
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Rene Struik
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Rene Struik
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Rene Struik
- Re: SMTP authentication (not soon) Dan Wing
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Dave Crocker
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Sam Hartman
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Tim Bray
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Joe Touch
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Stephen Kent
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Kent
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… t.p.
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Martin Thomson
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Henry B Hotz
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Kent
- Re: [saag] Last Call: <draft-dukhovni-opportunist… t.p.
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Martin Rex
- Re: Last Call: (pushed -02 update) <draft-dukhovn… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Kent
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Kent
- Target audience? (was Re: [saag] Last Call: <draf… Dave Crocker
- Re: Target audience? (was Re: [saag] Last Call: <… Viktor Dukhovni
- Re: Target audience? (was Re: [saag] Last Call: <… Viktor Dukhovni
- Re: Target audience? (was Re: [saag] Last Call: <… Scott Kitterman
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Kent
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Dave Crocker
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Dave Crocker
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Dave Crocker
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Scott Kitterman
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Dave Crocker
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Scott Kitterman
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Patrik Fältström
- Wikipedia, was Target audience? (was Last Call Op… Alessandro Vesely
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Farrell
- Best Effort Key Management (was Re: [saag] Last C… Dave Crocker
- Re: Best Effort Key Management (was Re: [saag] La… Stephen Farrell
- Re: Best Effort Key Management (was Re: [saag] La… Stephen Farrell
- Re: Best Effort Key Management (was Re: [saag] La… Dave Crocker
- Re: Best Effort Key Management (was Re: [saag] La… Viktor Dukhovni
- Re: Best Effort Key Management (was Re: [saag] La… Dave Crocker
- Re: Best Effort Key Management (was Re: [saag] La… Stephen Farrell
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Kent
- Re: [saag] Best Effort Key Management (was Re: La… Viktor Dukhovni
- Re: Best Effort Key Management (was Re: [saag] La… Paul Wouters
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Nico Williams
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Viktor Dukhovni
- Re: Best Effort Key Management (was Re: [saag] La… Scott Kitterman
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Stephen Farrell
- Individual submission (was: Best Effort Key Manag… S Moonesamy
- Re: Individual submission Dave Crocker
- Re: [saag] Last Call: <draft-dukhovni-opportunist… John C Klensin
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Mark Andrews
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: Individual submission Abdussalam Baryun
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Nico Williams
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Nico Williams
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Paul Wouters
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Paul Wouters
- Re: [saag] Fwd: Last Call: <draft-dukhovni-opport… Rene Struik
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Nico Williams
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Nico Williams
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Nico Williams
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Stephen Farrell
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Stephen Farrell
- Re: Target audience? (was Re: [saag] Last Call: <… Stephen Farrell
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Paul Wouters
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Nico Williams
- What does DNSSec protect? (Re: [saag] Last Call: … Dave Crocker
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Steve Crocker
- Re: What does DNSSec protect? (Re: [saag] Last Ca… Paul Wouters
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Donald Eastlake
- Re: [saag] What does DNSSec protect? (Re: Last Ca… John C Klensin
- Re: [saag] What does DNSSec protect? (Re: Last Ca… John Levine
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Andrew Sullivan
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Brian E Carpenter
- Re: [saag] What does DNSSec protect? (Re: Last Ca… John C Klensin
- Re: [saag] What does DNSSec protect? (Re: Last Ca… John C Klensin
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Henry B Hotz
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Andrew Sullivan
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Mark Andrews
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Nico Williams
- Re: [saag] What does DNSSec protect? (Re: Last Ca… Nico Williams
- Re: [saag] What does DNSSec protect? (Re: Last Ca… João Damas
- Re: [saag] What does DNSSec protect? (Re: Last Ca… manning
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Stephen Farrell
- Re: Last Call: <draft-dukhovni-opportunistic-secu… Stephen Kent
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Viktor Dukhovni
- Protocol Design Pattern (was Re: [saag] Last Call… Dave Crocker
- Re: Protocol Design Pattern (was Re: [saag] Last … Scott Kitterman
- Re: Protocol Design Pattern (was Re: [saag] Last … Dave Crocker
- Re: [saag] Protocol Design Pattern (was Re: Last … Benjamin Kaduk
- Re: Protocol Design Pattern (was Re: [saag] Last … Nico Williams
- Re: Protocol Design Pattern (was Re: [saag] Last … Paul Wouters
- Re: Protocol Design Pattern (was Re: [saag] Last … Nico Williams
- Re: Protocol Design Pattern (was Re: [saag] Last … Nico Williams
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Stephen Kent
- Re: Protocol Design Pattern (was Re: [saag] Last … Stephen Kent
- Re: Protocol Design Pattern (was Re: [saag] Last … Stephen Farrell
- Re: Protocol Design Pattern (was Re: [saag] Last … Dave Crocker
- Re: Protocol Design Pattern (was Re: [saag] Last … Stephen Farrell
- Re: [saag] Last Call: <draft-dukhovni-opportunist… Benjamin Kaduk
- Re: [saag] Protocol Design Pattern (was Re: Last … Benjamin Kaduk
- Re: [saag] Protocol Design Pattern (was Re: Last … Benjamin Kaduk
- Re: [saag] Protocol Design Pattern (was Re: Last … Dave Crocker
- Re: Protocol Design Pattern (was Re: [saag] Last … Eliot Lear
- Re: [saag] Protocol Design Pattern (was Re: Last … Stephen Kent
- Re: [saag] Protocol Design Pattern (was Re: Last … Stephen Farrell
- Re: [saag] Protocol Design Pattern (was Re: Last … Benjamin Kaduk
- Re: [saag] Protocol Design Pattern (was Re: Last … Dave Crocker
- Re: [saag] Protocol Design Pattern (was Re: Last … Stephen Kent
- Re: [saag] Protocol Design Pattern (was Re: Last … Stephen Kent
- Re: [saag] Protocol Design Pattern (was Re: Last … Benjamin Kaduk
- Re: Protocol Design Pattern (was Re: [saag] Last … t.p.
- Re: [saag] Protocol Design Pattern (was Re: Last … Eliot Lear
- Re: [saag] Protocol Design Pattern (was Re: Last … Benjamin Kaduk
- Re: [saag] Protocol Design Pattern (was Re: Last … Henry B (Hank) Hotz, CISSP