From sandyinchina@gmail.com Fri Jul 6 02:40:53 2018 From: Sandy Harris To: cypherpunks-legacy@lists.cpunks.org Subject: Status of opportunistic encryption Date: Fri, 06 Jul 2018 02:40:53 +0000 Message-ID: <172289247258.3881296.528231552235064287.generated@mail.pglaf.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2670698440304695139==" --===============2670698440304695139== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Some years back I worked on the FreeS/WAN project (freeswan.org), IPsec for Linux. One of our goals was to implement "opportunistic encryption", to allow any two appropriately set up machines to communicate securely, without pre-arrangement between the two system administrators. Put authentication keys in DNS; they look those up and can then use IKE to do authenticated Diffie-Hellman to create the keys for secure links. Recent news stories seem to me to make it obvious that anyone with privacy concerns (i.e. more-or-less everyone) should be encrypting as much of their communication as possible. Implementing opportunistic encryption is the best way I know of to do that for the Internet. I'm somewhat out of touch, though, so I do not know to what extent people are using it now. That is my question here. I do note that there are some relevant RFCs. RFC 4322 Opportunistic Encryption using the Internet Key Exchange (IKE) RFC 4025 A Method for Storing IPsec Keying Material in DNS and that both of FreeS/WAN's successor projects (openswan.org and strongswan.org) mention it in their docs. However, I don't know if it actually being used. -- Sandy Harris Zhuhai, Guangdong, China --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which h= ad a name of signature.asc] --===============2670698440304695139==--