[Cryptography] History and implementation status of Opportunistic Encryption for IPsec

2013-09-11 Thread Paul Wouters
History and implementation status of Opportunistic Encryption for IPsec NOTE: On September 28, there is be a memorial service in Ann Arbour for Hugh Daniel, manager of the old IPsec FreeS/WAN Project. Various crypto people will attend, including a bunch of us from

Re: Status of opportunistic encryption

2006-06-06 Thread James A. Donald
Thomas Harold: I do suspect at some point that the lightweight nature of DNS will give way to a heavier, encrypted or signed protocol. Economic factors will probably be the driving force (online banking). Thierry Moreau wrote: E.g. RFC4033, RFC4034, RFC4035. Well I wish it was going

Re: Status of opportunistic encryption

2006-06-06 Thread Peter Gutmann
kent crispin [EMAIL PROTECTED] writes: On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote: Grab OpenVPN (which is what OpenSWAN should be), install, point it at the target system, and you have opportunistic encryption. Forgive my doltishness, but could you expand on that just a bit,

Re: Status of opportunistic encryption

2006-06-04 Thread Thomas Harold
James A. Donald wrote: Attacks on DNS are common, though less common than other attacks, but they are by scammers, not TLA agencies, perhaps because they are so easily detected. All logons should move to SRP to avoid the phishing problem, as this is the most direct and strongest solution for

Re: Status of opportunistic encryption

2006-06-04 Thread Thierry Moreau
Thomas Harold wrote, in part: I do suspect at some point that the lightweight nature of DNS will give way to a heavier, encrypted or signed protocol. Economic factors will probably be the driving force (online banking). E.g. RFC4033, RFC4034, RFC4035. - Thierry

Re: Status of opportunistic encryption

2006-06-03 Thread Anne Lynn Wheeler
James A. Donald wrote: I was unaware of this. So I googled for DNSSEC. Reading the DNSSEC documents I found : :In order to support the larger DNS message : :sizes that result from adding the DNSSEC RRs, : :DNSSEC also requires EDNS0 support ([RFC : :671]). and : :its

Re: Status of opportunistic encryption

2006-06-03 Thread Anne Lynn Wheeler
James A. Donald wrote: In an organization with hundreds of administrators managing tens of thousand of machines, what goes wrong with trusting your key store? And who administers Kerberos? Don't they have a problem with tens of thousands of machines? the original pk-init draft for kerberos

Re: Status of opportunistic encryption

2006-06-02 Thread kent crispin
On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote: Grab OpenVPN (which is what OpenSWAN should be), install, point it at the target system, and you have opportunistic encryption. Forgive my doltishness, but could you expand on that just a bit, please (or point at the right place in

Re: Status of opportunistic encryption

2006-06-01 Thread Victor Duchovni
On Wed, May 31, 2006 at 08:56:53AM +1000, James A. Donald wrote: Active attacks are rare, possibly nonexistent except for Wifi. If NSA and the other TLAs were doing active attacks, they would be detected some of the time. They don't like being detected. Active attacks at the network layer

Re: Status of opportunistic encryption

2006-06-01 Thread Peter Gutmann
[EMAIL PROTECTED] writes: I am also interested in Opportunistic Encryption. Even if it is not as secure as a manually configured VPN, I am willing to trade that for what it does provide. I have looked at setting up OpenSWAN in OE mode, but frankly it is daunting even for the reasonably geeky

Re: Status of opportunistic encryption

2006-05-30 Thread auto37159
I am also interested in Opportunistic Encryption. Even if it is not as secure as a manually configured VPN, I am willing to trade that for what it does provide. I have looked at setting up OpenSWAN in OE mode, but frankly it is daunting even for the reasonably geeky and far beyond any kind

Re: Status of opportunistic encryption

2006-05-30 Thread James A. Donald
-- It seems to me opportunistic encryption has moved to the application layer, at least as far as Internet mail is concerned. Many MTAs use TLS automatically with whatever certificates they can get. Of course, this only guards against active attacks, but it seems to me that this

Re: Status of opportunistic encryption

2006-05-29 Thread Florian Weimer
* Sandy Harris: Recent news stories seem to me to make it obvious that anyone with privacy concerns (i.e. more-or-less everyone) should be encrypting as much of their communication as possible. Implementing opportunistic encryption is the best way I know of to do that for the Internet. I'm