Paul Hoffman <[email protected]> wrote: > > During earlier discussions of opportunistic encryption in the IETF, > attempted-but-not-required authentication was strongly preferred over > "don't even attempt to authenticate".
This is only worthwhile if there is downgrade protection, i.e. the client needs to be able to tell if it is supposed to be able to rely on an authentication mechanism (e.g. using DANE). Without downgrade protection it's equivalent to encryption without authentication. We discussed this a few weeks ago, thread starting at https://www.ietf.org/mail-archive/web/dns-privacy/current/msg02124.html Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ North Fitzroy, Sole: Variable 4, becoming easterly 4 or 5 in east Sole. Moderate, occasionally rough at first. Fair. Good. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
