Kris Pister <[email protected]> wrote: >> if a node starts from A, I don't see how it can authenticate the >> network, >> and the network authenticate the node.
> Thomas - you and Michael and Robert and Tom are all correct that
> option A is
> not good and should be avoided. Certainly anyone who cares about
> security will
> not use it. I don't want to waste too much time on it, other than to
> say that:
> 1) I hope that 6TiSCH is deployed broadly, in many applications
> 2) many product developers don't think that they need security, or
> they think
> that it will be too hard, or too burdensome on installation, ..., e.g.
The problem with the "push button" to validate the DH exponent is that
you still have to do the DH exponentiation... (whether ECDHA or not).
If one can do the DH to get the pfs, then one could also use a
pre-established shared secret to authenticate, with a trip back to the
vendor. But, that's (B).
One can also use (B) without the DH, SIM-card-like.
Can we agree that (A) is out of scope for now?
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
