On 09/18/2014 08:24 AM, Markus Stenberg wrote:
With device certificates, you still have the original authz problem. That is, just because I can identify you reliably tells me nothing about whether I want to participate with routing updates with you. So in that way, they not any more useful than naked keys. If the device certificate is on hardware, you cannot generate them at will, and therefore they _are_ more useful as you can e.g. blacklist device and be sure that even with leap of faith code active, it will not come out of woodwork with new certificate.
Revocations again gets back to the threat model: what attacks are we trying to prevent (or not). Without knowing that, it's hard to say whether device certs help any, especially considering that there are perfectly acceptable homenet routers that will never be born with a device cert.
Mike _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
