On 03/03/2015 05:55 AM, David Oran wrote:
On Mar 2, 2015, at 9:05 PM, Michael Thomas <[email protected]> wrote:
On 03/02/2015 01:21 PM, Brian E Carpenter wrote:
On 03/03/2015 09:12, Michael Thomas wrote:
I'm doubtful that routing protocols need PSK's. They almost certainly
would like to share a symmetric key(s) but
is not the same thing.
But they need to agree on the shared key(s) securely, and the only way
I know how to do that zero-touch is by starting with asymmetric keys
and certificates.
s/and certificates//
Well, I want certificates, because I don't believe someone who
says "Hi, I'm your friendly homenet router and here's my public
key."
so you're mollified if somebody's cert says "hi i'm
1232345245213452345...@lkajsdlfjasdfds.clasjdflakjsdfk.ladsjflakjsfdls.xxx" instead?
Actually, I’m suspicious, which is entirely appropriate.
If, on the other hand, the cert says router3.orandom.net and orandom.net is my
domain with delegated DNSSEC from my domain provider I might be a tad more
trusting than if I just saw a 2048bit raw public key.
Considering that provisioning personal certificates is the almost the
polar opposite of zeroconf, the chances
of the normal schlub seeing an informative and/or trustworthy name are
really, really low.
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet