On 10/22/13 2:07 PM, Ted Lemon wrote:
On Oct 22, 2013, at 4:22 PM, Michael Thomas <[email protected]> wrote:
If you'd pause a moment from winning, I said that requiring knowledge of the
group secret
to do the leap of faith is somewhat better than the straight leap of faith that
ssh uses.
The public key can be used to authenticate the server in future connections as being the
same server that you contacted when you first made the leap of faith. The "group
secret" proves to the server that you know the password to the network, but it can't
be used by the network to prove that it is trustworthy. And there is no additional
token, so every time you use that server, you are making the same leap of faith you made
the first time. Leap of faith authentication provides some additional security because
you can only attack it the first time it's used—when the leap of faith is made. If you
make a leap of faith every time you connect, that's no different than having no security
at all.
Yes, it just limits the bad guys to those who know that shared secret. I'll
leave it
to crypto-heads whether that's enough of an advantage to warrant l2/l3
entanglement
(which is what you really should rip me for :)
But we're far afield from my original point: that I'd rather use a server on
my home
network to get my configuration, rather than trusting some random ISP who I
happen
to be connected to at any point in time. That doesn't work for roaming, and
it's questionable
whether it's an especially good idea even when I'm not.
This is the key point: your home network is just a random network to your
device, unless you have a secure mechanism for identifying it. I do agree
with your basic point that you can't just trust any random network; what I am
trying to point out is there is currently no mechanism we've specified that
allows your device to securely distinguish your home network from those other
networks.
Yes, of course. And it's why zeroconf is incompatible with security: you have
to enroll,
and enrollment without checking who you're talking to is insecure. Ssh isn't
*really*
zeroconf if you consider it: it asks you first whether you want to take that
leap of faith
which requires actually considering the possibility that something bad might
happen.
What I'd really like is for my device to "home" itself on a network or server
with
my human participation to, like ssh, say "yes, it's ok" because I'm at home on
my wifi when I first bought it, and "no, it's not ok because I'm still at
Bestbuy".
Further, I'd say that it really isn't the "Network" that I want to trust, but
some server (or two), probably running on my home network but not necessarily.
In fact, I think we should stop talking about trusting a "network" altogether
because
it's really distinct hosts that we ought to trust or not, even if one of those
hosts
happens to be my home router (router != "network", of course).
Are you suggesting that we shouldn't comment on that draft?
If I wanted to say such an inappropriate thing, I would just say it, and then
presumably there would be a recall petition, and I'd be able to go back to
being an individual contributor, and my life would get a lot simpler. I want
desperately for the working group to comment on the draft, and I appreciate you
commenting. Please don't take debate from me as implying that you should shut
up. When I accuse you of handwaving, it's because I want you to get specific,
not because I want you to shut up. You're in no way obliged to get
specific—that's just what _I_ want.
As far as I can tell, the draft is still ISP-DHCP centric which to my mind is a
non-starter,
for many, many reasons. I haven't read the newest version, so apologies if I'm
out of date.
I'd suggest to the authors to rethink the entire scheme *without* DHCP, and
without any
requirement that there's a link-level relationship to do what they're trying to
do: it should
work from the other end of the internet directly addressed with a nice shiny
ipv6 address.
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
