On Mon, Dec 11, 2017 at 08:27:03PM -0500, Daniel Kahn Gillmor wrote: > Hi Antony-- > > On Mon 2017-12-11 23:47:50 +0100, Antony Antony wrote: > > > Subject: [PATCH] tests/opportunistic fix, asymmetric dnssec test > > thanks for this! I confess i'm still a little confused as to why this > DNSSEC-driven policy should be labeled "opportunistic" as compared with > the fully-opportunistic authnull policy. Hi dkg,
It is easy to create a second test. Let me know which one, may be I can help. However, agreeing on name(s) is probably hard. My focus is on the test not so much on names. And 0.02 cent comment on name/history. So a bit of history and how that may relate to naming. In the FreeSWAN days opportunistic encryption meant symmetric DNSSEC, using RSASIG. AFIK there was only one identity validation and one to authenticate(RSASIG) method. Also IKEv1 did not (AFIK) offer asymmetric authentication. So essentially one combination. Current one, the IKEv2, offer more choices. And do not have established names yet. Now Libreswan is offering more choice. Symmetric and Asymmetric based on IKEv2 authentication. X509 Certificate, DNDSEC (IPSECKEY RR) -- reverse and forward --, and RFC 7619 NULL Authentication, based on identity validation. And if you dig further DNDSEC + IPSECKEY only support RSA key. Certificates may support more. RFC 7619 NULL Authentication is a variant of PSK. The test I send you is against oe.libreswan.org . Which is running DNSSEC + IPSECKEY (RSA SIG in reverse zone), IKEv2 Asymetric test. Atleast a few weeks ago:) And this would work. regards, -antony _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
