Re: HIP and PKI reqs [RE: Identifier/locator recap]

[Tim Shepard <shep@alum.mit.edu>]

[ post by non-subscriber.  with the massive amount of spam, it is easy to miss
  and therefore delete posts by non-subscribers.  if you wish to regularly
  post from an address that is not subscribed to this mailing list, send a
  message to <listname>-owner@ops.ietf.org and ask to have the alternate
  address added to the list of addresses from which submissions are
  automatically accepted. ]

> > The problem I see with HIP is that you can't initiate a session with
> > just the identifier to identify the host you want to communicate with.
> 
> You are right.  More work is needed.  As I wrote, someone
> should work out the details how to utilize DHTs, perhaps
> in conjunction with DNS.  Or something similar.

Today you cannot initiate a connection if all you have is the ssh host
key.  Is this a problem with ssh that needs to be fixed?  If not, then
why does it need to be fixed with HIP?

I also thought I'd mention that you cannot initiate a connection with
a web server if all you have is one of those certificates used to
authenticate the identity of https servers.  But then I realized that
you can, because the dns name of the server is embeded in the
certificate.  The real question is how does anyone ever get their
hands on one of these certificates in the first place?

My real point is that perhaps we do not need to solve this problem.
We can do as ssh does, and start with a DNS name which gets us an IP
address (and perhaps a HIT), then initiate a HIP exchange with
whatever is at that IP address.

(In any case, implementing some sort of DHT as Pekka Nikander suggests
 sounds like a cool idea and an interesting research question.  And
 it may be as easy as he believes.)

			-Tim Shepard
			 shep@alum.mit.edu