Joe,
>
yeah, I like OK (and I like IKE too, for those of us old enough to
appreciate that election slogan)
I'm still a little hesitant, thinking on it further, about the term
"opportunistic" in this sense at all.
BTNS uses unsigned key exchanged, and there's nothing "opportunistic"
about it. Unsigned authentication is the goal from the start.
OE as defined in RFC 4322 isn't about using unsigned key exchange; the
"opportunistic" sense is derived from using keys retrieved from DNS
without prior agreement. That's not what happens in BTNS.
agreed.
Paul just noted:
"Opportunistic keying does provide authentication, it's just that
the authentication is only to the public key and is not
tightly bound to any other type of identification (address, name, etc.)"
Public keys are not principles. We went through that long and painful
discussion
during the SPKI days. So, saying that OE provide authentication of a key
seems
meaningless to me, especially if the key is ephemeral.
I.e., fundamentally, opportunistic approaches are completely different
from those that don't ever bother to authenticate. I don't think it's
useful (and could be confusing) to confuse the two by overlapping
terminology.
We'll, we don't have an agreed upon definition for O* yet. My view is
that the primary goal of
this effort is to remove barriers to using encryption. Since
authenticating the identity or a
peer or server has tended to be a barrier, we seem willing to make that
form of authentication
optional. But, we still prefer authentication, because we'd like to
avoid MiTM attacks. That suggests
that O* refers to techniques that emphasize encryption, prefer that it
be authenticated, but are
willing to fall back to un-autnenticated encryption if that's thbe best
we can do. (And to fall back
to plaintext if the peer/server is not capable of our new-fangled O*)
I don't like the term "optimistic" either; it too implies something
that you "hope works". There's no "hope" associated with unsigned key
exchange; you do it (IMO) because you know what it is and you know its
impact (e.g., raising the bar of an attacker to performing a full key
exchange, vs. just tossing single packets like RSTs around).
I'm not wedded top either term, but I'd like to emphasize that the
encryption process is
the same in all cases; it's the key management that's different.
Is there a reason not to just call unauthenticated key exchange what
it is - unauthenticated key exchange?
I think we want more than that, as I described above, hence the desire
to coin a new term.
Steve
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
