[16154] in cryptography@c2.net mail archive
Re: potential new IETF WG on anonymous IPSec
daemon@ATHENA.MIT.EDU (Bill Stewart)
Mon Sep 13 18:16:07 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 13 Sep 2004 12:00:19 -0700
To: Sam Hartman <hartmans@mit.edu>
From: Bill Stewart <bill.stewart@pobox.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <tsloekbwclj.fsf@cz.mit.edu>
At 11:45 AM 9/12/2004, Sam Hartman wrote:
>No. opportunistic encryption means I have retrieved a key or cert for
>the other party, but do not know whether it is actually the right
>cert. This is slightly different although at the level of current
>discussion it has the same security properties.
Actually, FreeSWAN's "Opportunistic Encryption" meant
"if you've got IP traffic for somebody,
see if they can do encryption with you and use it if you can."
Because Gilmore wanted to make sure encryption was always done securely,
their implementation used a common PKI - DNSSEC and inverse DNS -
which has the advantage that a security gateway can use it when
all it knows is the IP address of the destination (which is typically the
case),
but the severe disadvantage that very few people have control
over that DNS space and also that an IP address may belong to more than one
domain.
There's a significant policy question there - if you don't have
a common PKI of some sort, is it worthwhile encrypting anyway,
protecting against passive eavesdroppers but not MITM,
or is that a false sense of security because the people who
most need security are the people most likely to have a government
annoyed enough at them to do the work of running a MITM attack?
Encryption against passive eavesdroppers makes password-stealing
and traffic analysis harder, so it's probably worth the risk,
but that wasn't the choice that FreeSWAM made.
Bill Stewart bill.stewart@pobox.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
