Status of opportunistic encryption
Sandy Harris
sandyinchina at gmail.com
Fri May 26 03:18:59 EDT 2006
Some years back I worked on the FreeS/WAN project (freeswan.org),
IPsec for Linux.
One of our goals was to implement "opportunistic encryption", to allow any two
appropriately set up machines to communicate securely, without pre-arrangement
between the two system administrators. Put authentication keys in DNS; they
look those up and can then use IKE to do authenticated Diffie-Hellman to create
the keys for secure links.
Recent news stories seem to me to make it obvious that anyone with privacy
concerns (i.e. more-or-less everyone) should be encrypting as much of their
communication as possible. Implementing opportunistic encryption is the
best way I know of to do that for the Internet.
I'm somewhat out of touch, though, so I do not know to what extent people
are using it now. That is my question here.
I do note that there are some relevant RFCs.
RFC 4322 Opportunistic Encryption using the Internet Key Exchange (IKE)
RFC 4025 A Method for Storing IPsec Keying Material in DNS
and that both of FreeS/WAN's successor projects (openswan.org and
strongswan.org) mention it in their docs. However, I don't know if it
actually being used.
--
Sandy Harris
Zhuhai, Guangdong, China
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list