IESG Review Paul Wouters/Eric Vyncke: cryptographically obfuscate/protected

Question

IESG Review Paul Wouters/Eric Vyncke: cryptographically obfuscate/protected

mirjak opened this issue 3 years ago · 4 comments

cryptographically obfuscates

An odd term. I see obfuscation to be non-cryptographic and cryptographic transformation to not be as weak as to be seen as obfuscation (but as encryption or secure hashing)

Answer 1 · 2022-06-01T16:53:30.000Z

I replied by mail to Paul and explained that the header protection is kind of weak, so cryptographically protected might be too strong and this was his reply:

 Maybe the only thing is finding a better term for “cryptographically obfuscates”? 

 I understand your reasoning but I still feel a little that this is doing a disservice to “cryptography”. But it was a comment, so I will leave it up to the authors.

But maybe we can find a better term...?

Answer 2 · 2022-06-01T17:03:14.000Z

Also a related comment on the same section from Eric Vyncke:

Security ADs will know more of course but for me "cryptographically protected" is unclear whether it is confidentiality or integrity or both... Suggest to use "is confidentiality/integrity protected with cryptography" (or a lighter sentence than this one).

Answer 3 · 2022-06-01T17:49:30.000Z

Note that PR #484 is also editing this same part of the text.

Answer 4 · 2022-06-02T04:11:51.000Z

I would say "protects" instead of "obfuscates". We have an analysis to support this claim (now cited in RFC 9001), we don't need to hedge. We used to be less certain (we did basically just invent this off the cuff at an interim meeting), but we're far more confident in stronger claims now.