On 03/03/2015 09:12, Michael Thomas wrote: > On 03/02/2015 11:54 AM, Brian E Carpenter wrote: >> On 03/03/2015 08:38, Michael Thomas wrote: >>>> Well, draft-pritikin-anima-bootstrapping-keyinfra-01 describes a way >>>> to bootstrap a certificate infrastructure, zero touch. Once every >>>> device in a domain has a domain certificate, two devices can directly >>>> authenticate each other, without PSK. Then you can also authenticate a >>>> key negotiation scheme such as IKE, to negotiate a PSK which you can >>>> then use in your "normal" authentication scheme. Obviously, would be >>>> nice if protocol supported certs directly, but it's not required. >>>> >>>> I still think that the above draft is a very good way to bootstrap a >>>> certificate infrastructure, which can be leveraged in many different >>>> ways. >>>> >>>> >>> I'm doubtful that routing protocols need PSK's. They almost certainly >>> would like to share a symmetric key(s) but >>> is not the same thing. >> But they need to agree on the shared key(s) securely, and the only way >> I know how to do that zero-touch is by starting with asymmetric keys >> and certificates. >> >> > s/and certificates//
Well, I want certificates, because I don't believe someone who says "Hi, I'm your friendly homenet router and here's my public key." Brian _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
