The simplest way to get half-safe opportunistic encryption is the "Open
Secret" shared secret,
or equivalently, draft-ietf-ipsec-internet-key-00.txt's shared
secret. Everybody who wants to use it just adds it to their ipsec's list
of known shared secrets, and uses it unless
bulf of email for same reason as FreeS/WAN
failed to protect the bulk of TCP/IP traffic. In comparison, opportunistic
encryption via StartTLS has been a modest success, simply because it's so
easy to deploy at MTA level (it would be a lot more successfull, if
postfix/exim/qmail shipped with w
Eugen Leitl wrote:
No, anything requiring publishing DNS records won't fly. OE is
*opportunistic*. It doesn't care about what the true identity of the opposite
party is. Any shmuck on dynamic IP should be able to use it instantly, with
no observable performance degradation, using a simple patch.
I
On Wed, 17 Mar 2004, Eugen Leitl wrote:
> On Tue, Mar 16, 2004 at 03:29:42PM +0800, Sandy Harris wrote:
>
> > >So, the apparent solution for me seems to be the approach that the SPAM
> > >blacklists used - publish information in a subspace of the forward DNS
> > >space instead of using the authori
a couple nitpicks on otherwise interesting points...
On Wed, Mar 17, 2004 at 09:02:17AM -0500, sunder wrote:
> Look at how many folks use PGP - those who really know it and want it, or
> those who know enough about it and have some easily automated
> implementation that plugs in to their mail c
On Tue, Mar 16, 2004 at 03:29:42PM +0800, Sandy Harris wrote:
> >So, the apparent solution for me seems to be the approach that the SPAM
> >blacklists used - publish information in a subspace of the forward DNS
> >space instead of using the authoritative in-addr.arpa area.
> >
> Worth discussing
Hi,
Sandy Harris wrote:
>Tarapia Tapioco wrote:
>>A possible implementation looks like this:
>>...
>>
>>* Linux/KAME's IKE daemon racoon is patched to attempt retrieval of an
>> RSA key from said DNS repository and generate appropriate security
>> policies.
>>
>>Cleaner solution, but more work pr
Tarapia Tapioco wrote:
We've recently seen FreeS/WAN die, not least due to the apparent
practical failure of Opportunistic Encryption. The largest blocking
point for deployment of OE always seemed to be the requirement for
publishing one's key in the reverse DNS space. ...
Yes.
So, th
We've recently seen FreeS/WAN die, not least due to the apparent
practical failure of Opportunistic Encryption. The largest blocking
point for deployment of OE always seemed to be the requirement for
publishing one's key in the reverse DNS space. While most tech-savvy
people are able to
Are there any reasons why current systems (whether OpenSource or not)
don't ship with opportunistic IPsec out of the box? FreeS/WAN is really
easy to set up, and such, but why having to do BIND juggling and extra
installation steps.
What are the reasons, crypto restrictions?
10 matches
Mail list logo
