On 03/02/2015 11:54 AM, Brian E Carpenter wrote:
On 03/03/2015 08:38, Michael Thomas wrote:
Well, draft-pritikin-anima-bootstrapping-keyinfra-01 describes a way
to bootstrap a certificate infrastructure, zero touch. Once every
device in a domain has a domain certificate, two devices can directly
authenticate each other, without PSK. Then you can also authenticate a
key negotiation scheme such as IKE, to negotiate a PSK which you can
then use in your "normal" authentication scheme. Obviously, would be
nice if protocol supported certs directly, but it's not required.
I still think that the above draft is a very good way to bootstrap a
certificate infrastructure, which can be leveraged in many different
ways.
I'm doubtful that routing protocols need PSK's. They almost certainly
would like to share a symmetric key(s) but
is not the same thing.
But they need to agree on the shared key(s) securely, and the only way
I know how to do that zero-touch is by starting with asymmetric keys
and certificates.
s/and certificates//
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
