Tero Kivinen <[email protected]> wrote: > Note, that using IKEv2 and 802.15.9, it would be possible to use > multiple authenticatiom rounds (rfc 4739), i.e. where the JN first > authenticates himself to the JA by using for example certificates > generated by manufacturerer. Before this step the JA will be > configured with all CAs for all manufacturers who can connect.
> After this step JA will know that JA is device which is created by one
> of the allowed manufacturers, and if that manufacturer certificate
> includes the 64-bit extended address, JA will know that JN has that
> extended address.
This would be a very good idea.
I hadn't thought of using IKEv2's ability, but I really like it,
and it integrates so nicely into the 15.9 mechanism already.
> This is one of the reasons I think we need to use proper external key
> management protocol, as they have these features already standardized,
> and we just need to pick and choose which of those features we want to
> use.
:-)
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
