On Sep 11, 2012, at 4:53 PM, Curtis Villamizar wrote: > We had a similar discussion before and I pointed out that for security > some form of exchange of keys or certificates was needed. > > Having a factory configured root DNSSEC certificate gets one form of > trust anchor. The browser certificates provide another, possibly very > flawed forn of trust anchor. > > A means to create a local certificate and manually distribute this > could be the basis of a local trust anchor for local addresses and > names. > > For specific services it may be best to have certificates or keys > exchanged between client and server.
In an unmanaged environment, some form of a ceremony is needed (http://eprint.iacr.org/2007/399.pdf), such as to prove locality and control. Mark _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
