> On Mar 2, 2015, at 9:05 PM, Michael Thomas <[email protected]> wrote: > > On 03/02/2015 01:21 PM, Brian E Carpenter wrote: >> On 03/03/2015 09:12, Michael Thomas wrote: >>> >>> I'm doubtful that routing protocols need PSK's. They almost certainly >>> would like to share a symmetric key(s) but >>> is not the same thing. >>>> But they need to agree on the shared key(s) securely, and the only way >>>> I know how to do that zero-touch is by starting with asymmetric keys >>>> and certificates. >>>> >>>> >>> s/and certificates// >> Well, I want certificates, because I don't believe someone who >> says "Hi, I'm your friendly homenet router and here's my public >> key." >> > > so you're mollified if somebody's cert says "hi i'm > 1232345245213452345...@lkajsdlfjasdfds.clasjdflakjsdfk.ladsjflakjsfdls.xxx" > instead? > Actually, I’m suspicious, which is entirely appropriate.
If, on the other hand, the cert says router3.orandom.net and orandom.net is my domain with delegated DNSSEC from my domain provider I might be a tad more trusting than if I just saw a 2048bit raw public key. > the possession of a cert does nothing in and of itself to make an enrollment > decision. > I agree that the cert itself does nothing. The name in the cert, as long as it isn’t self signed, provides a trust anchor. > Mike > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
