On Thu, Feb 27, 2014 at 03:17:53PM +1100, Mark Andrews wrote: > I walk into a coffee shop. I get a address. I manage to get IPsec > running between the server and myself because both ends are configured > for opportunistic IPsec.
What does that have to do with the deployment scenario I was asking about in the Microsoft case, or the one I understood Paul to be asking about? Those cases are entirely to do with managed infrastructure, and the question is, _if_ you have that kind of managed infrastructure scenario and _if_ you accept that someone could subvert your management model (but you don't care because if they can do that then you're screwed anyway), then is there any value in the AD bit? I think the answer is, "Maybe," but we're never going to sort that out if people persist with arguments about scenarios that have nothing to do with the one under discussion. Yes, you should not trust the AD bit from random parts of the Internet or opportunistic IPsec or whatever. But that's not the case we're talking about, I think. A -- Andrew Sullivan [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
