Saving Opportunistic Encryption
Sandy Harris
sandy at storm.ca
Mon Mar 15 23:29:42 PST 2004
Tarapia Tapioco wrote:
> We've recently seen FreeS/WAN die, not least due to the apparent
> practical failure of Opportunistic Encryption. The largest blocking
> point for deployment of OE always seemed to be the requirement for
> publishing one's key in the reverse DNS space. ...
Yes.
> So, the apparent solution for me seems to be the approach that the SPAM
> blacklists used - publish information in a subspace of the forward DNS
> space instead of using the authoritative in-addr.arpa area.
>
Worth discussing at least.
> A possible implementation looks like this:
> ...
>
> * Linux/KAME's IKE daemon racoon is patched to attempt retrieval of an
> RSA key from said DNS repository and generate appropriate security
> policies.
>
> Cleaner solution, but more work probably.
Why would you use racoon? FreeS/WAN's Pluto is available, under GPL,
already does OE, and works with 2.6 kernel IPsec (though I'm not
certain if patches are needed for that). Wouldn't it be a better
starting point?
More information about the cypherpunks-legacy
mailing list