On 03/03/2015 09:12, Michael Thomas wrote:
> On 03/02/2015 11:54 AM, Brian E Carpenter wrote:
>> On 03/03/2015 08:38, Michael Thomas wrote:
>>>> Well, draft-pritikin-anima-bootstrapping-keyinfra-01 describes a way
>>>> to bootstrap a certificate infrastructure, zero touch. Once every
>>>> device in a domain has a domain certificate, two devices can directly
>>>> authenticate each other, without PSK. Then you can also authenticate a
>>>> key negotiation scheme such as IKE, to negotiate a PSK which you can
>>>> then use in your "normal" authentication scheme. Obviously, would be
>>>> nice if protocol supported certs directly, but it's not required.
>>>>
>>>> I still think that the above draft is a very good way to bootstrap a
>>>> certificate infrastructure, which can be leveraged in many different
>>>> ways.
>>>>
>>>>
>>> I'm doubtful that routing protocols need PSK's. They almost certainly
>>> would like to share a symmetric key(s) but
>>> is not the same thing.
>> But they need to agree on the shared key(s) securely, and the only way
>> I know how to do that zero-touch is by starting with asymmetric keys
>> and certificates.
>>
>>
> s/and certificates//

Well, I want certificates, because I don't believe someone who
says "Hi, I'm your friendly homenet router and here's my public
key."

   Brian

_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to