On 3/12/2014 1:02 PM, Derek Atkins wrote:
Joe Touch <[email protected]> writes:
Why not just use the term "unauthenticated encryption", when that's
exactly what's happening?
Well, it's not necessarily what's happening. The data itself might
still have "integrity protection" (which is a form of authentication.
Yes, and might be inaccessible to anyone except the endpoints that
negotiated the key too.
So you have a protected exchange both in privacy and integrity, but you
don't know with whom.
You're just not authenticating the endpoint, which means you could be
subject to a MitM attack. Alternate terms could be "Unauthenticated
Keying" or "Unauthenticated Key Exchange" which are closer (IMHO) to
what's going on.
Sure - yes, but neither acronym is desirable, unfortunately.
Unidentified Security?
Joe
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
