Re: Wes Hardaker: opportunistic encryption deployment problems

[Michael Thomas <mat@cisco.com>]

Henry Spencer writes:
 > On Tue, 7 Aug 2001, Michael Thomas wrote:
 > > I guess I have to ask a really dumb question. Given the
 > > likelihood of DNSSEC any time soon, why don't we just
 > > ignore any pretense of authentication with opportunistic
 > > encryption and just accept the MITM attack inherent with
 > > ephemeral DH exchanges?
 > 
 > We thought about that, but decided that some authentication was better
 > than none, especially since it would upgrade transparently to full
 > authentication.  It's one thing to accept security loopholes as a
 > temporary measure, and another to define a protocol that will always have
 > security loopholes.

   Well... How is this especially different than just
   using self-signed certificates and having a wide
   open policy? I don't think there's anything protocolwise
   that even needs to be done there. Clearly you can upgrade
   that by using rooted certs in the future as well. 

   I guess what bothers me is that you are expecting to
   use DNS as a directory service for certs which it
   wasn't really intended for thus making an already
   complicated situation even more complicated, but
   not changing the fundamental situation (PKI are hard).

 > 
 > > Also: it seems to me that expecting
 > > a secure DNS isn't actually opportunistic at all: it's
 > > trying to assert a different source of (sometimes strong) identity...
 > 
 > This basically boils down to what you think "opportunistic" means.  We
 > don't see it as meaning "will talk to anybody, no setup necessary" but
 > rather "will talk to anybody who's set up for it".  Some amount of setup
 > is clearly necessary anyway; we'd have liked to be able to talk to an
 > IPsec-capable host that's unaware of opportunistic encryption, but it
 > isn't possible.

   I guess that I view that there's probably an 80/20 rule
   here which is being missed: *most* people aren't going
   to go to the lengths of creating an active MITM attack
   to snoop on boring old every day conversations.
   Thus encrypting everything -- by accepting MITM attacks
   where there is no pragmatic alternative -- will kill 
   off all of the passive snooping. Given the advent of
   wireless and the worthlessness of certain L2's so-called
   security, this is not an academic issue. Trying to insert
   an upgrade path back to the mythical global PKI rather
   misses the point: if there were such a beast, we could
   should be able to use IKE as-is (or at least we ought
   to be able to envision how to do that). Also: I 
   think the MIP experience sez that we ought to
   consider whether we'd want such a PKI even if
   it were possible.

	 Mike

---

Follow-Ups:

• Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
• Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Henry Spencer <henry@spsystems.net>
• Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

• Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Michael Thomas <mat@cisco.com>
• Re: Wes Hardaker: opportunistic encryption deployment problems
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: RE: Simplifying IKE
• Next by Date: Re: Simplifying IKE
• Prev by thread: Re: Wes Hardaker: opportunistic encryption deployment problems
• Next by thread: Re: Wes Hardaker: opportunistic encryption deployment problems
• Index(es):
  • Main
  • Thread