Last Call Review of draft-dukhovni-opportunistic-security-01

Request Review of draft-dukhovni-opportunistic-security
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2014-08-05
Requested 2014-07-10
Other Reviews Genart Last Call review of -05 by Martin Thomson (diff)
Secdir Last Call review of -01 by Takeshi Takahashi (diff)
Secdir Telechat review of -04 by Takeshi Takahashi (diff)
Opsdir Last Call review of -01 by Ron Bonica (diff)
Opsdir Telechat review of -04 by Ron Bonica (diff)
Review State Completed
Reviewer Martin Thomson
Review review-dukhovni-opportunistic-security-01-genart-lc-thomson-2014-07-11
Posted at
Reviewed rev. 01 (document currently at 06)
Review result On the Right Track
Draft last updated 2014-07-11
Review completed: 2014-07-11


I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at


Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-dukhovni-opportunistic-security-01
Reviewer: Martin Thomson
Review Date: 2014-07-08
IETF LC End Date: 2014-08-05
IESG Telechat date: (if known)

Summary: This reads a little like it was rushed.  This needs some work
before it can be considered ready.

(I've cc'd saag here.  That seemed appropriate, strip as you see fit.)

Major issues:

This misses one of the key principles behind opportunistic security:

  Insistence on failure, as opposed to downgrade or some lesser level
of security - a characteristic of non-opportunistic security - elicits
responses from users to work around the problem (accept the bad
certificate, suppress certificate checking, etc...).  The willingness
of an opportunistic security implementation to accept unvalidated
credentials means that it still benefits from resilience against
passive attack.  This is only really noted through an example of a
"design blunder".

In general, a more careful consideration of the document structure is needed.

The document skirts around it's key goal: defining OS.  Section 2
needs to start with a definition. The paragraph that follows the list
in S2 is a reasonable attempt at that and could be tweaked fairly
perform that function.

The Security Considerations is a response to an unstated argument, but
I think that the document needs to be clearer about what that argument
is, i.e.:

  The willingness of an OS implementation to downgrade can be
trivially exploited by an active attacker to strip an opportunistic

The point that is made here is one that is most applicable in the
aggregate, something that is implied by "users" (in the plural form),
but should be explicit.

Minor issues:

Section 3 is unnecessary in its entirely:

  1. 2119 language isn't really appropriate for this document.  Many
of the statements that rely on this would be much better without that
language.  Some of the uses are actually completely inappropriate:
"When possible, opportunistic security SHOULD provide stronger
security on a peer-by-peer basis."

  2. I think that the description of "unauthenticated encryption" and
"TOFU" belong in the text proper.  TOFU is covered well enough by the
text in S1; unauthenticated encryption needs to be covered in the
description as a first class section, rather than piecemeal (see
above).  MitM and PFS are defined in RFC4949.

Nits/editorial comments:

References are double-bracketed "([ref])" and the "pervasive
monitoring (PM[RFC7258])" reference doesn't need the "PM".