On Tue, Nov 15, 2016 at 02:40:38AM +0000, Michael Behringer (mbehring) wrote: > Hi Pedro,
Hi, > Generically, ANIMA devices get a domain certificate. Today, > practically all certificate management solutions are centralised, with > a central CA, and several RAs (Registration Authorities). So for now > this is the working model. And a registrar is logically an RA in this > model. Given that certificate interactions are infrequent, and given > that this PKI model is very well developed, I think this is a > reasonable starting point. Yes it is, but being a "model" not a "solution" I think it could consider different schemes. > We have had suggestions to look at peer to peer trust models, and I > agree that philosophically this would be even better. However, such > models are not widely used today. My personal opinion is that we could > well support a different enrolment procedure, using a peer-to-peer > trust model in the future; the ANIMA reference model is generic and > modular enough. > > But my priority is to get the current solution, using standard PKI > methods off the ground before going there. > > Do you have a concrete proposal? Would be interesting to discuss. Not for the moment, but in my team we are working in some models that would benefit from centralized and distributed registration procedures, depending on the specific scenario. For instance, disaster recovery scenarios require to establish network systems (virtual and physical) that should be autonomic and disconnected from any previously centralized infrastructure. This could be reflected in the unattended deployment of drones to provide connectivity to places where infrastructure has been broken. In this situation, both security and interoperability should be ensured without requiring the system to contact a centralized registry. I hope this gives some perspective to my concerns. In summary I only encourage the consideration of abstract mechanisms to cover any point that can have polarized schemes (centralized vs distributed). > Michael Regards, Pedro -- Pedro Martinez-Julia Network Science and Convergence Device Technology Laboratory Network System Research Institute National Institute of Information and Communications Technology (NICT) 4-2-1, Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan Email: [email protected] --------------------------------------------------------- *** Entia non sunt multiplicanda praeter necessitatem *** _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
