Stephen Farrell <[email protected]> wrote: > On 03/12/2014 08:47 PM, Michael Richardson wrote: >> The part that we are all discussing is determining how (much) to >> trust the DH results.
> I don't think that's a very accurate characterisation
> to be honest.
> I think the most relevant (but intertwined) factors are:
> - trading off ease of deployment vs. endpoint authentication
> - trading off protection against passive vs active attack
> - better separating key exchange from endpoint authentication
> so that traditional authentication or TOFU or whatever can
> be used before during or after key exchange
But, you made my point.
While the end user sees the overall benefit is:
my traffic can not seen
The problems and challenges that we have are not in how or even when to
apply AES, it's how/when to do the DH.
To the end user, having the word "encryption" in the terminology is useful
because it tells them why they should pay attention to it.
To us, it's a red-herring, because it's not where the issue is.
You listed the issues.
(BTW: my TLA cache is failing on "TOFU")
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting for hire =-
pgpfjRlPCK3Bv.pgp
Description: PGP signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
