Status of opportunistic encryption
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Jun 6 02:56:19 EDT 2006
kent crispin <kent at songbird.com> writes:
>On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote:
>>Grab OpenVPN (which is what OpenSWAN should be), install, point it at the
>>target system, and you have opportunistic encryption.
>
>Forgive my doltishness, but could you expand on that just a bit, please (or
>point at the right place in the docs)? I've used openvpn to set up dedicated
>tunnels, but it isn't immediately obvious to me how it would be configured to
>do opportunistic encryption.
OK, it looks like there are several different views of what opportunistic
encryption actually is. My definition was "I'd like to talk to X, with
encryption if available", which is what the STARTTLS/STLS/AUTH TLS upgrade
mechanisms do for POP/IMAP/SMTP/FTP. In that sense no tunnel mechanism (at
least that I know of) can really do that, you'd need something like a STARTTLS
mechanism for L2TP (the non-opportunistic way of doing this is to run L2TP
over IPsec). I don't know why anyone'd want to implement that, since it's
easier to just drop in your VPN app or device of choice.
The opportunistic encryption that OpenVPN gives you is manual rather than
automatic, since there's no way to upgrade "any protocol at all" to "any
protocol at all, but with encryption". The reason it's opportunistic is
because it allows you to use the equivalent of unauthenticated DH (self-
signed/arbitrary-CA certificates) rather than putting you through the torture
test of obtaining and configuring a cert from a recognised CA (that's non-
opportunistic, and because it's so difficult, frequently just non-encryption).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list