On 28 jul 2010, at 07.50, Mikael Abrahamsson wrote: > On Wed, 28 Jul 2010, Yaakov Stein wrote: > >> Yes, the symmetric key stuff is now done in hardware >> but the public key part for authentication is still done in software. >> And due to interactions between the software and hardware, >> requesting authentications can slow down other existing timing flows. > > What about just signing it the way it's done in DNSSEC, ie you have a > certificate/key and each packet is signed before being sent out?
Many (all) DNSSEC responses are TCP or hand-shake. You really don't want to authenticate clients at the server as that is an easy way to construct a DDoS attack, just as you can with NSEC3 for DNSSEC. The otherway (which I think we in Paris also agreed was the most common use case), having a client authenticate a server is different though and can be made to scale (I think that is what you are suggesting above). Best regards, - kurtis -
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
