The term opportunistic has become the new synonym for 'Good' but it is being used for many different things.
A) Unauthenticated key exchange B) Upgrade from plaintext to encrypted without controlling security policy requiring use of encryption. C) Silent-fail on bad credentials D) Silent-success on bad credentials There are arguments for all of these but I am just watching a presentation on 'opportunistic encryption' in DANE and I think the term is selling DANE short. DNS is an authoritative path for statements about DNS labels. Ergo authenticated DNS RRs are authenticated statements about them. DANE provides authenticated statements about security policy and keys. Ergo DANE cannot support opportunistic encryption because it is policy directed encryption (i.e. better). -- Website: http://hallambaker.com/
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
