History and implementation status of Opportunistic Encryption for IPsec
NOTE: On September 28, there is be a memorial service in Ann Arbour
for Hugh Daniel, manager of the old IPsec FreeS/WAN Project.
Various crypto people will attend, including a bunch of us
from
Thomas Harold:
I do suspect at some point that the lightweight
nature of DNS will give way to a heavier, encrypted
or signed protocol. Economic factors will probably
be the driving force (online banking).
Thierry Moreau wrote:
E.g. RFC4033, RFC4034, RFC4035.
Well I wish it was going
kent crispin [EMAIL PROTECTED] writes:
On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote:
Grab OpenVPN (which is what OpenSWAN should be), install, point it at the
target system, and you have opportunistic encryption.
Forgive my doltishness, but could you expand on that just a bit,
James A. Donald wrote:
Attacks on DNS are common, though less common than other
attacks, but they are by scammers, not TLA agencies,
perhaps because they are so easily detected.
All logons should move to SRP to avoid the phishing
problem, as this is the most direct and strongest
solution for
Thomas Harold wrote, in part:
I do suspect at some point that the lightweight nature of DNS will give
way to a heavier, encrypted or signed protocol. Economic factors will
probably be the driving force (online banking).
E.g. RFC4033, RFC4034, RFC4035.
- Thierry
James A. Donald wrote:
I was unaware of this. So I googled for DNSSEC. Reading
the DNSSEC documents I found
: :In order to support the larger DNS message
: :sizes that result from adding the DNSSEC RRs,
: :DNSSEC also requires EDNS0 support ([RFC
: :671]).
and
: :its
James A. Donald wrote:
In an organization with hundreds of administrators
managing tens of thousand of machines, what goes wrong
with trusting your key store? And who administers
Kerberos? Don't they have a problem with tens of
thousands of machines?
the original pk-init draft for kerberos
On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote:
Grab OpenVPN (which is what OpenSWAN should be), install, point it at the
target system, and you have opportunistic encryption.
Forgive my doltishness, but could you expand on that just a bit, please (or
point at the right place in
On Wed, May 31, 2006 at 08:56:53AM +1000, James A. Donald wrote:
Active attacks are rare, possibly nonexistent except for
Wifi. If NSA and the other TLAs were doing active
attacks, they would be detected some of the time. They
don't like being detected.
Active attacks at the network layer
[EMAIL PROTECTED] writes:
I am also interested in Opportunistic Encryption. Even if it is not as
secure as a manually configured VPN, I am willing to trade that for what it
does provide. I have looked at setting up OpenSWAN in OE mode, but frankly
it is daunting even for the reasonably geeky
I am also interested in Opportunistic Encryption. Even if it is
not as secure as a manually configured VPN, I am willing to trade
that for what it does provide. I have looked at setting up
OpenSWAN in OE mode, but frankly it is daunting even for the
reasonably geeky and far beyond any kind
--
It seems to me opportunistic encryption has moved to
the application layer, at least as far as Internet
mail is concerned. Many MTAs use TLS automatically
with whatever certificates they can get. Of course,
this only guards against active attacks, but it
seems to me that this
* Sandy Harris:
Recent news stories seem to me to make it obvious that anyone with privacy
concerns (i.e. more-or-less everyone) should be encrypting as much of their
communication as possible. Implementing opportunistic encryption is the
best way I know of to do that for the Internet.
I'm
13 matches
Mail list logo
