> On Mar 2, 2015, at 9:05 PM, Michael Thomas <[email protected]> wrote:
> 
> On 03/02/2015 01:21 PM, Brian E Carpenter wrote:
>> On 03/03/2015 09:12, Michael Thomas wrote:
>>> 
>>> I'm doubtful that routing protocols need PSK's. They almost certainly
>>> would like to share a symmetric key(s) but
>>> is not the same thing.
>>>> But they need to agree on the shared key(s) securely, and the only way
>>>> I know how to do that zero-touch is by starting with asymmetric keys
>>>> and certificates.
>>>> 
>>>> 
>>> s/and certificates//
>> Well, I want certificates, because I don't believe someone who
>> says "Hi, I'm your friendly homenet router and here's my public
>> key."
>> 
> 
> so you're mollified if somebody's cert says "hi i'm 
> 1232345245213452345...@lkajsdlfjasdfds.clasjdflakjsdfk.ladsjflakjsfdls.xxx" 
> instead?
> 
Actually, I’m suspicious, which is entirely appropriate.

If, on the other hand, the cert says router3.orandom.net and orandom.net is my 
domain with delegated DNSSEC from my domain provider I might be a tad more 
trusting than if I just saw a 2048bit raw public key.

> the possession of a cert does nothing in and of itself to make an enrollment 
> decision.
> 
I agree that the cert itself does nothing. The name in the cert, as long as it 
isn’t self signed, provides a trust anchor.

> Mike
> 
> _______________________________________________
> homenet mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/homenet

_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to