[Swan-dev] debian continuous integration
Antony Antony
antony at phenome.org
Tue Dec 12 10:47:27 UTC 2017
On Mon, Dec 11, 2017 at 08:27:03PM -0500, Daniel Kahn Gillmor wrote:
> Hi Antony--
>
> On Mon 2017-12-11 23:47:50 +0100, Antony Antony wrote:
>
> > Subject: [PATCH] tests/opportunistic fix, asymmetric dnssec test
>
> thanks for this! I confess i'm still a little confused as to why this
> DNSSEC-driven policy should be labeled "opportunistic" as compared with
> the fully-opportunistic authnull policy.
Hi dkg,
It is easy to create a second test. Let me know which one, may be I can
help.
However, agreeing on name(s) is probably hard. My focus is on the test not
so much on names. And 0.02 cent comment on name/history.
So a bit of history and how that may relate to naming. In the FreeSWAN days
opportunistic encryption meant symmetric DNSSEC, using RSASIG. AFIK there
was only one identity validation and one
to authenticate(RSASIG) method. Also IKEv1 did not (AFIK) offer asymmetric
authentication. So essentially one combination. Current one, the IKEv2,
offer more choices. And do not have established names yet.
Now Libreswan is offering more choice. Symmetric and Asymmetric based on
IKEv2 authentication. X509 Certificate, DNDSEC (IPSECKEY RR) -- reverse and
forward --, and RFC 7619 NULL Authentication, based on identity validation.
And if you dig further DNDSEC + IPSECKEY only support RSA key. Certificates
may support more. RFC 7619 NULL Authentication is a variant of PSK.
The test I send you is against oe.libreswan.org . Which is running
DNSSEC + IPSECKEY (RSA SIG in reverse zone), IKEv2 Asymetric test. Atleast a
few weeks ago:) And this would work.
regards,
-antony
More information about the Swan-dev
mailing list