On Saturday, October 10, 2015 05:19:30 pm Viktor Dukhovni wrote: > On Sat, Oct 10, 2015 at 05:11:56PM -0400, Dave Garrett wrote: > > Note that opportunistic encryption is weird and getting > > the whole document to be perfect for it might not be entirely doable, as > > OE needs to tolerate more fuzziness than the main spec should allow. > > Unfortunately requirements in the base TLS document end up "set in > stone" in software implementations, and then break opportunistic > TLS in ways application software can't work around.
I do agree with rewording the text in question to deal with this better, but honestly, OE & AE are directly opposed concepts. I'd much rather write almost everything assuming the goal is properly authenticated encryption, and have a separate section dedicated to opportunistic encryption stating that its implementation requires ignoring many of the hard requirements TLS has with regard to authentication. Trying to subtlety allow for AE & OE in all the same text might give us a more fragile specification where accidentally screwing up authentication is easier. OE can be useful, but it's the exception, not the rule; giving AE too much wiggle-room could be dangerous. (when it's explicitly requested, e.g. TOFU with raw public keys, that's a different discussion) Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
