[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006



Hi Jim,


El 11/07/2006, a las 17:25, Bound, Jim escribió:

I see this point.  Clearly public or pre-shared PKI has to exist yes.
But enclaves of network users will have this association is the
assumption.  So if we are not in some enclave we would need to join one
to send each other files via IPsec with encrypt. The enclaves are being
built now.


As i understand it, the only way to make the shim6 security based on IPSec is to assume that a global PKI is deployed, including client certificates (i.e. not only server certificates) so that it is possible to secure any-to-any communication.

From what i understand such global pki is not in place yet and it doesn't looks like it will be anytime soon if ever.

So, i really don't think it is reasonable to build the security on the shim6 relying on such global pki deployment

does anybody think that it would be acceptable to build the shim6 security based on the assumption of a global PKI deployment?

Regards, marcelo



Sorry I missed your point.

/jim

-----Original Message-----
From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
Sent: Tuesday, July 11, 2006 10:19 AM
To: Bound, Jim
Cc: Pekka Savola; shim6@psg.com
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

On 11-jul-2006, at 10:13, Bound, Jim wrote:

IPsec is deployed end-to-end for v4 and v6 in production not sure I
agree no one knows how to do this and I think I misunderstood your
statement below?  Thanks.

So if I want to send you a file and I want to encrypt it with
IPsec, how do I do that, without making special arrangements first?

IPsec is only used for VPN tunnels in practice today.