Some years back I worked on the FreeS/WAN project (freeswan.org), IPsec for Linux. One of our goals was to implement "opportunistic encryption", to allow any two appropriately set up machines to communicate securely, without pre-arrangement between the two system administrators. Put authentication keys in DNS; they look those up and can then use IKE to do authenticated Diffie-Hellman to create the keys for secure links. Recent news stories seem to me to make it obvious that anyone with privacy concerns (i.e. more-or-less everyone) should be encrypting as much of their communication as possible. Implementing opportunistic encryption is the best way I know of to do that for the Internet. I'm somewhat out of touch, though, so I do not know to what extent people are using it now. That is my question here. I do note that there are some relevant RFCs. RFC 4322 Opportunistic Encryption using the Internet Key Exchange (IKE) RFC 4025 A Method for Storing IPsec Keying Material in DNS and that both of FreeS/WAN's successor projects (openswan.org and strongswan.org) mention it in their docs. However, I don't know if it actually being used. -- Sandy Harris Zhuhai, Guangdong, China --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]