Hi Brian,
thanks for the comments.
El 05/01/2005, a las 13:44, Brian E Carpenter escribió:
Personal comments:
I believe this is also ready to hand over to the future WG.
Just a couple of remarks.
1. You don't discuss the DNS at all - it clearly isn't a requirement for the HBA mechanism itself to have any DNS entries, but surely in reality at least one of the addresses will have to go into DNS?
i guess so, but i don't see any HBA specific issues w.r.t. to DNS, i guess that they are just like any other global address.
Do you think i should state it explicitly in the draft?
If you don't, I will bet other people will ask the same question
Brian
2. A related point - in the discussion in 7.1 of MITM attacks, the attack you describe only makes sense if the other end has no independent check of *any* of the addresses in the address set. If even one of them is (for example) in a trusted AAAA record, a MITM is excluded, I think.
good point, i will include this in the next version regards, marcelo
Brian