Re: [Uta] opportunistic keying / encryption considered of dubious value
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 17 March 2014 01:28 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412221A034D for <uta@ietfa.amsl.com>; Sun, 16 Mar 2014 18:28:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id INvqJwqtZJuK for <uta@ietfa.amsl.com>; Sun, 16 Mar 2014 18:28:51 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 4CFFC1A034B for <uta@ietf.org>; Sun, 16 Mar 2014 18:28:51 -0700 (PDT)
Received: from [10.156.156.160] (cpe-66-108-141-251.nyc.res.rr.com [66.108.141.251]) by che.mayfirst.org (Postfix) with ESMTPSA id 15982F984; Sun, 16 Mar 2014 21:28:41 -0400 (EDT)
Message-ID: <53264FC9.40106@fifthhorseman.net>
Date: Sun, 16 Mar 2014 21:28:41 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Keith Moore <moore@network-heretics.com>, uta@ietf.org
References: <53249D4E.2080104@network-heretics.com> <CACsn0ckE8_-r1RcbfV-szOjPB7m4dLvc2qRJoY5L34qK0yYuYA@mail.gmail.com> <E1B265E4-D9DE-42FB-BF54-AE4CF846117A@vpnc.org> <5324ADED.4020705@network-heretics.com>
In-Reply-To: <5324ADED.4020705@network-heretics.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="1n5sq4U77ErDgIB62scI5SqdAcce22MR5"
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/PExttk_YS8BuPSEZagXEs4DoCMo
Subject: Re: [Uta] opportunistic keying / encryption considered of dubious value
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 01:28:53 -0000
On 03/15/2014 03:45 PM, Keith Moore wrote: > On 03/15/2014 03:07 PM, Paul Hoffman wrote: >> On Mar 15, 2014, at 11:43 AM, Watson Ladd <watsonbladd@gmail.com> wrote: >> >>> All DANE/TOFU/latching imply a commitment by both sides to maintain >>> and manage identity. >> A big +1 to Watson's simple explanation. DANE/TOFU/latching all >> specify that if the initiator gets a key that is wrong, they will >> prevent communication in order to protect the initiator. [...] > I also think that if you're running a server that uses encryption, you > should be regularly and frequently monitoring your certs, DNS records, > etc. for validity and correctness. Just to clarify, the work you're describing *is* the "commitment ... to maintain and manage identity" that Watson and Paul are identifying as a major barrier that has kept systems administrators from deploying strong crypto. This maintenance work is extra work that does not have to be done by a server operator who only runs cleartext services. Opportunistic keying (OK) also doesn't require this extra work. OK doesn't replace or supplant encryption with properly authenticated endpoints. It replaces and supplants cleartext communications, while placing no additional demands on system administrators. Those administrators still really should move to proper strong crypto, and software developers should produce tools with a sane UI/UX that can minimize the hassle involved with ongoing cryptographic credential maintenance work, to reduce the barrier that still remains. --dkg
- [Uta] opportunistic keying / encryption considere… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Watson Ladd
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Paul Hoffman
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Yan Zhu
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Leif Johansson
- Re: [Uta] opportunistic keying / encryption consi… Alan Johnston
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Yan Zhu
- Re: [Uta] opportunistic keying / encryption consi… Daniel Kahn Gillmor
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- [Uta] getting back to UTA and injecting clue (was… Eliot Lear
- Re: [Uta] opportunistic keying / encryption consi… Salz, Rich
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Daniel Kahn Gillmor
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] getting back to UTA and injecting clue Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] getting back to UTA and injecting clue … Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Orit Levin (LCA)
- Re: [Uta] opportunistic keying / encryption consi… Rick Andrews
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Trevor Perrin
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Trevor Perrin
- Re: [Uta] opportunistic keying / encryption consi… Watson Ladd
- Re: [Uta] opportunistic keying / encryption consi… Christian Huitema
- Re: [Uta] opportunistic keying / encryption consi… t.p.
- Re: [Uta] opportunistic keying / encryption consi… Adam Langley
- Re: [Uta] opportunistic keying / encryption consi… t.p.
- Re: [Uta] getting back to UTA and injecting clue Peter Saint-Andre
- Re: [Uta] getting back to UTA and injecting clue Peter Saint-Andre
- Re: [Uta] getting back to UTA and injecting clue Alexey Melnikov
- Re: [Uta] getting back to UTA and injecting clue Leif Johansson