Re: Wes Hardaker: opportunistic encryption deployment problems

[Michael Thomas <mat@cisco.com>]

I guess I have to ask a really dumb question. Given the
likelihood of DNSSEC any time soon, why don't we just
ignore any pretense of authentication with opportunistic
encryption and just accept the MITM attack inherent with
ephemeral DH exchanges? Also: it seems to me that expecting
a secure DNS isn't actually opportunistic at all: it's
trying to assert a different source of (sometimes strong)
identity, which obviously runs afoul of the mythical
global PKI, which leads back to point one. I think there's
some utility to crypto which accepts MITM as better than
nothing at all which is the current reality.

	Mike

Bill Manning writes:
 > 
 > 	One point.   Instead of TXT records for stuffing bits into, there is the CERT record
 > 		which was designed for just such stuff.
 > 	Well, two points.  If folks want to kick the tyres on such a beast, I've a couple
 > 		of servers w/ signed in-addr.arpa zones.
 > 	
 > 
 > -- 
 > --bill

---

Follow-Ups:

• Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
• Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Bill Manning <bmanning@ISI.EDU>

---

• Prev by Date: RE: Position statement on IKE development
• Next by Date: Re: IKE must have no Heirs
• Prev by thread: Re: Wes Hardaker: opportunistic encryption deployment problems
• Next by thread: Re: Wes Hardaker: opportunistic encryption deployment problems
• Index(es):
  • Main
  • Thread