Malisa Vucinic <[email protected]> wrote: > I think we all agree on this. Since JN and JA do not share any > pre-existing crypto material, we rely on leap-of-faith for the initial > exchange(s).
I guess it depends upon whether you expect JN/JA to for a secure
per-host-pair adjancy during the bootstrap process. I don't see the point.
>> It could use 802.15.9 and create pairwise key between JA and JN using
>> authentication that is forwarded to the JCE. In that case only the
>> authentication requests and replies needs to be forwarded, not full
>> joining exchanges.
> I think we agree that only JCE can authenticate JN based on a PSK and
> that this ends up at JCE in any case. What do you mean by full joining
> exchanges? How many packets between JN <-> JA <-> JCE do you consider
> necessary, strictly from a security perspective?
All the relevant protocols require between 2 and 3 round trips to get
things working. How many fraglets that works out depends upon how big
the certificate chains (if any) are sent.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
