Re: [Tcpcrypt] Draft charter text

[MARCELO BAGNULO BRAUN <marcelo@it.uc3m.es>]

Hi,

Joe Touch <touch@isi.edu> dijo:

>
>
> On 4/14/2014 1:15 PM, MARCELO BAGNULO BRAUN wrote:
>> Joe Touch <touch@isi.edu> dijo:
>>
>>> On 4/14/2014 12:20 PM, MARCELO BAGNULO BRAUN wrote:
>>>> So, the goal of this effort is to create a WG to work on
>>>> anonymous/oportunistic encryption for TCP streams.
>>>
>>> That's not at all clear.
>>>
>>> I thought the goal was encryption for TCP streams, which may include
>>> anonymous, zero-ID (which isn't necessarily anonymous), opportunistic,
>>> or other solutions.
>>>
>>> Why the specific focus on anonymous/opportunistic?
>>>
>>> And why list those as if they are related or synonymous?
>>
>> ok, so i think we have a terminology issue here.
>> For me, what i have in mind when writing the charter text, the goal of
>> the work would be to enable encryption without necesarily requiring
>> authentication.
>> For me, anonymous and opportunistic meant the same thing, i was using
>> anonymous in order to stay away from the discussion on oportunistic
>> encryption.
>
> There are three terms:
>
> 	anonymous - which includes proof that a connection cannot be
> 	traced back to a given source, or different connections
> 	can't be correlated to a single source
>
> 	zero-ID - I think this is what you mean, i.e., PKI-free. That
> 	was the original intent of BTNS (RFC 5387), but later came to
> 	include links to channel binding when the WG got hold of it
> 	(RFC 5386).
>
> 	opportunistic - this originated with RFC 4322, which meant
> 	using keying info found in the DNS in the (opportunistic)
> 	hope that it would be useful, rather than negotiating
> 	it with the endpoint.
>


thanks for this.
Yes, i think zero-id as per the definition above is what we want.
I was just rechecking the btns charter and they use the term 
unauthenticated encryption, which would also fit what we are trying to 
do.

more below...

>> I think many of not all of these terms are overloaded. I was hoping
>> the goal of what we want to achieve here was clearer but i guess it
>> requires more precise wording. Is there any termonilogy that is well
>> defined that we can use?
>
> SAAG is currently trying to (re)define 'opportunistic security' to 
> include the original BTNS meaning (zero-ID). I've already pointed out 
> on that this list that such redefinition isn't productive, but they 
> are doing so anyway.
>
> I would suggest here that we use an accurate, meaningful term rather 
> than redefine terms already in (relatively wide) use.
>
> I would suggest zero-ID - akin to zero-configuration or zero-touch 
> network management - if you mean "avoiding PKI".
>
> I would not assume that zero-ID necessarily included links to 
> upper-layer protocol authentication - e.g., TLS - because that 
> doesn't get rid of PKI so much as move the problem to a different 
> layer, where it still isn't solved.
>

right, my concern if we use zero-id or unathenticated, is that it 
sounds as we are rpeventing the hooks for external authentication, but 
i guess it is something we can live with, as long we properly explain 
it in the charter.

makes sense?

Regards, marcelo


> Joe
>
>
>
>
>



-- 
----
MARCELO BAGNULO BRAUN
WebCartero
Universidad Carlos III de Madrid