So I understand the background here: Why do we need/want QUIC in this setting instead of TCP?
-=R From: QUIC <[email protected]> on behalf of Randy Armstrong (OPC) <[email protected]> Date: Thursday, September 29, 2022 at 1:13 PM To: Paul Vixie <[email protected]> Cc: [email protected] <[email protected]> Subject: RE: Request for Authenticated but not Encrypted Traffic !-------------------------------------------------------------------| This Message Is From an External Sender |-------------------------------------------------------------------! Hi Paul, Thanks for the support. I think it is important to note: we already have our own TCP based protocol that supports authentication only. If QUIC cannot meet our requirements we may not recommend the use of QUIC at all. Also note that factory owners sometimes owners disable security entirely if they have s/w that uses TLS/HTTPS with no sign only option. IOW, forcing people to use encryption when they have a compelling business justification to turn it off can result in more security risks - not less. Regards, Randy -----Original Message----- From: Paul Vixie <[email protected]> Sent: Friday, September 30, 2022 4:31 AM To: Randy Armstrong (OPC) <[email protected]> Cc: [email protected] Subject: Re: Request for Authenticated but not Encrypted Traffic i understand this ask and i resonate positively to it. however, i predict it will be seen as controversial in this community, based on my prior experience trying to get ssh/scp to support clear text for use inside a campus, datacenter, VPC, or VM server. i've also been trying to get an SMTP library's author team to have an option to ignore STARTTLS when talking to my own localhost. in each case i was told that the risk of accidental nonencryption across a wide area network was too great. so, good luck with this use case. --vixie re: Randy Armstrong (OPC) wrote on 2022-09-29 05:31: > The OPC Foundation is looking at deploying QUIC within factories as > means for different OT devices to communicate with each other. In this > environment, factory owners often wish to monitor traffic to check for > anomalies. Encryption prevents this. > > For this reason, an authentication only option is essential to making > QUIC a viable choice for communication within factories. > > Regards, > > Randy Armstrong > > OPC UA Security WG Chair > -- P Vixie
