Whether or not you do leap of faith, certificates _do_ provide extra value.
- you can produce them/validate via (local / cloudy) CA (which may also imply authorization in addition to authentication, or not) - you can have them from hardware (which makes producing spurious ones much harder, assuming the hardware certificates in and of themselves are authenticable) whether your authorization policy is leap of faithy, or strict ’these are the authorized CAs/individual certs’, there is no way to express same things with raw public keys (or you wind up with new X509, which is in nobody’s best interest). That said, I think there is probably room for both PSK-based and some PKI-based solution here, but I do not believe that much in raw public keys any more. Cheers, -Markus _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet