[26669] in cryptography@c2.net mail archive
Status of opportunistic encryption
daemon@ATHENA.MIT.EDU (Sandy Harris)
Sun May 28 10:16:51 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 26 May 2006 15:18:59 +0800
From: "Sandy Harris" <sandyinchina@gmail.com>
To: cryptography@metzdowd.com
Some years back I worked on the FreeS/WAN project (freeswan.org),
IPsec for Linux.
One of our goals was to implement "opportunistic encryption", to allow any =
two
appropriately set up machines to communicate securely, without pre-arrangem=
ent
between the two system administrators. Put authentication keys in DNS; they
look those up and can then use IKE to do authenticated Diffie-Hellman to cr=
eate
the keys for secure links.
Recent news stories seem to me to make it obvious that anyone with privacy
concerns (i.e. more-or-less everyone) should be encrypting as much of their
communication as possible. Implementing opportunistic encryption is the
best way I know of to do that for the Internet.
I'm somewhat out of touch, though, so I do not know to what extent people
are using it now. That is my question here.
I do note that there are some relevant RFCs.
RFC 4322 Opportunistic Encryption using the Internet Key Exchange (IKE)
RFC 4025 A Method for Storing IPsec Keying Material in DNS
and that both of FreeS/WAN's successor projects (openswan.org and
strongswan.org) mention it in their docs. However, I don't know if it
actually being used.
--=20
Sandy Harris
Zhuhai, Guangdong, China
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
