Re: [saag] Would love some feedback on Opportunistic Wireless Encryption

"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu> Wed, 26 August 2015 18:30 UTC

Return-Path: <hbhotz@oxy.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E48751B303D for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 11:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDb0lo7MdX-7 for <saag@ietfa.amsl.com>; Wed, 26 Aug 2015 11:30:26 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.201.169]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF77C1B2FDF for <saag@ietf.org>; Wed, 26 Aug 2015 11:30:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 184CDE180; Wed, 26 Aug 2015 14:30:25 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vav4F20RNWHU; Wed, 26 Aug 2015 14:30:24 -0400 (EDT)
Received: from [192.168.1.192] (wsip-174-76-19-71.oc.oc.cox.net [174.76.19.71]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 9BFEAE1A4; Wed, 26 Aug 2015 14:30:24 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com>
Date: Wed, 26 Aug 2015 11:30:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <DCF8A0F7-180D-4843-AC31-179258768B9B@oxy.edu>
References: <CAHw9_iKt39m+tCHYxN4VuVFkJf65Go_V2x0udOtEn32ke+nrkQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/NGBU3GEW9HbHIJlPVgPMSLpzWDU>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Would love some feedback on Opportunistic Wireless Encryption
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 18:30:29 -0000

> On Aug 26, 2015, at 7:53 AM, Warren Kumari <warren@kumari.net>; wrote:
> 
> I'd appreciate it if folk could have a look at this draft and provide
> any feedback.

I agree with the argument that the minimal effort makes it worth doing.

OTOH, I also agree that something you can’t break passively would be better. How about a connection that’s negotiated with D-H key exchange, but you never verify identities? (Hmmm, is there an EAP mech that would effectively do that?)

How hard will it be to get AP makers to adopt whatever is proposed? Is the additional difficulty of DH really a dealbreaker?

Personal:  hbhotz@oxy.edu
Business: hhotz@securechannels.com