History and implementation status of Opportunistic Encryption for IPsec
NOTE: On September 28, there is be a memorial service in Ann Arbour
for Hugh Daniel, manager of the old IPsec FreeS/WAN Project.
Various crypto people will attend, including a bunch of us
from
kent crispin <[EMAIL PROTECTED]> writes:
>On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote:
>>Grab OpenVPN (which is what OpenSWAN should be), install, point it at the
>>target system, and you have opportunistic encryption.
>
>Forgive my doltishness, but could you expand on that just a
Thomas Harold:
> > I do suspect at some point that the lightweight
> > nature of DNS will give way to a heavier, encrypted
> > or signed protocol. Economic factors will probably
> > be the driving force (online banking).
Thierry Moreau wrote:
> E.g. RFC4033, RFC4034, RFC4035.
Well I wish it was
Thomas Harold wrote, in part:
I do suspect at some point that the lightweight nature of DNS will give
way to a heavier, encrypted or signed protocol. Economic factors will
probably be the driving force (online banking).
E.g. RFC4033, RFC4034, RFC4035.
- Thierry
-
James A. Donald wrote:
Attacks on DNS are common, though less common than other
attacks, but they are by scammers, not TLA agencies,
perhaps because they are so easily detected.
All logons should move to SRP to avoid the phishing
problem, as this is the most direct and strongest
solution for p
James A. Donald wrote:
In an organization with hundreds of administrators
managing tens of thousand of machines, what goes wrong
with trusting your key store? And who administers
Kerberos? Don't they have a problem with tens of
thousands of machines?
the original pk-init draft for kerberos ju
oh, and some number of certification authorities actually backed some
parts of DNSSEC ... including the idea that people register a public key
when they registered a domain name. this was countermeasure to various
kinds of domain name hijacking vulnerabilities ... i.e. the domain name
owner wou
James A. Donald wrote:
I was unaware of this. So I googled for DNSSEC. Reading
the DNSSEC documents I found
: :"In order to support the larger DNS message
: :sizes that result from adding the DNSSEC RRs,
: :DNSSEC also requires EDNS0 support ([RFC
: :671]). "
and
: :"its au
--
James A. Donald:
> > My understanding is that SSH when using GSS KEX does
> > not cache the keys, which strikes me as a amazingly
> > stupid idea,
Victor Duchovni
> No, that's the whole point. What works for the
> individual administering 10 machines, does not scale
> to organizations with
On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote:
> Grab OpenVPN (which is what OpenSWAN should be), install, point it at the
> target system, and you have opportunistic encryption.
Forgive my doltishness, but could you expand on that just a bit, please (or
point at the right place in
<[EMAIL PROTECTED]> writes:
>I am also interested in Opportunistic Encryption. Even if it is not as
>secure as a manually configured VPN, I am willing to trade that for what it
>does provide. I have looked at setting up OpenSWAN in OE mode, but frankly
>it is daunting even for the reasonably gee
On Wed, May 31, 2006 at 08:56:53AM +1000, James A. Donald wrote:
> Active attacks are rare, possibly nonexistent except for
> Wifi. If NSA and the other TLAs were doing active
> attacks, they would be detected some of the time. They
> don't like being detected.
Active attacks at the network lay
--
> > It seems to me opportunistic encryption has moved to
> > the application layer, at least as far as Internet
> > mail is concerned. Many MTAs use TLS automatically
> > with whatever certificates they can get. Of course,
> > this only guards against active attacks, but it
> > seems to m
I am also interested in Opportunistic Encryption. Even if it is
not as secure as a manually configured VPN, I am willing to trade
that for what it does provide. I have looked at setting up
OpenSWAN in OE mode, but frankly it is daunting even for the
reasonably geeky and far beyond any kind o
On Mon, May 29, 2006 at 07:21:29AM +0200, Florian Weimer wrote:
> * Sandy Harris:
>
> > Recent news stories seem to me to make it obvious that anyone with privacy
> > concerns (i.e. more-or-less everyone) should be encrypting as much of their
> > communication as possible. Implementing opportunis
* Sandy Harris:
> Recent news stories seem to me to make it obvious that anyone with privacy
> concerns (i.e. more-or-less everyone) should be encrypting as much of their
> communication as possible. Implementing opportunistic encryption is the
> best way I know of to do that for the Internet.
>
>
Some years back I worked on the FreeS/WAN project (freeswan.org),
IPsec for Linux.
One of our goals was to implement "opportunistic encryption", to allow any two
appropriately set up machines to communicate securely, without pre-arrangement
between the two system administrators. Put authenticatio
17 matches
Mail list logo
