Hiya, On 02/11/2019 18:33, Eric Rescorla wrote: > On Sat, Nov 2, 2019 at 7:03 AM Paul Hoffman <[email protected]> wrote: > >> On 11/2/19 9:58 AM, Eric Rescorla wrote: >>> Generally, I would expect that a solution which addressed the active >> threat model would also address the passive one. >> >> Of course, but there are many threat models that have different solutions. >> The passive threat models might be addressable more quickly than the active >> threat model. >> > > Yes, that's why I asked the question of whether we are trying to solve the > active attacker case.
Tackling passive and active attacks are not mutually exclusive goals. Experience from SMTP/TLS (as I interpret it anyway) was that defence against active attacks only really became tractable a few years after mitigations against passive attacks had been deployed and clearly hadn't broken anything. Note that that transition did not require any changes to SMTP/TLS, though it may have needed the mail equivalent of HSTS and reporting to have been defined (it's hard to tell what really motivated folks to try mitigate active attacks for sure). Whether or not adot is sufficiently similar is (for me) an unknown at this point but I'd hope we don't rule that out. ISTM that requiring day-1 defence against active attacks was to an extent responsible for the lack of deployment of IPsec and DNSSEC, so I hope we keep an eye on that ball too. Cheers, S. PS: In saying the above, I do ack that a bunch of people that I respect a lot totally disagree with the whole idea of opportunistic security (cf. RFC7435). What I suggest is that we not regurgitate that debate, but just bear in mind that any of us can be wrong, especially when we're arguing about foundational stuff that may really be based on hunches:-) > > -Ekr > > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy >
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
