kent crispin <[EMAIL PROTECTED]> writes: >On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote: >>Grab OpenVPN (which is what OpenSWAN should be), install, point it at the >>target system, and you have opportunistic encryption. > >Forgive my doltishness, but could you expand on that just a bit, please (or >point at the right place in the docs)? I've used openvpn to set up dedicated >tunnels, but it isn't immediately obvious to me how it would be configured to >do opportunistic encryption.
OK, it looks like there are several different views of what opportunistic encryption actually is. My definition was "I'd like to talk to X, with encryption if available", which is what the STARTTLS/STLS/AUTH TLS upgrade mechanisms do for POP/IMAP/SMTP/FTP. In that sense no tunnel mechanism (at least that I know of) can really do that, you'd need something like a STARTTLS mechanism for L2TP (the non-opportunistic way of doing this is to run L2TP over IPsec). I don't know why anyone'd want to implement that, since it's easier to just drop in your VPN app or device of choice. The opportunistic encryption that OpenVPN gives you is manual rather than automatic, since there's no way to upgrade "any protocol at all" to "any protocol at all, but with encryption". The reason it's opportunistic is because it allows you to use the equivalent of unauthenticated DH (self- signed/arbitrary-CA certificates) rather than putting you through the torture test of obtaining and configuring a cert from a recognised CA (that's non- opportunistic, and because it's so difficult, frequently just non-encryption). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]