[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
On 19-jul-2006, at 11:57, marcelo bagnulo braun wrote:
As i understand it, the only way to make the shim6 security based
on IPSec is to assume that a global PKI is deployed, including
client certificates (i.e. not only server certificates) so that it
is possible to secure any-to-any communication.
From what i understand such global pki is not in place yet and it
doesn't looks like it will be anytime soon if ever. So, i really
don't think it is reasonable to build the security on the shim6
relying on such global pki deployment
does anybody think that it would be acceptable to build the shim6
security based on the assumption of a global PKI deployment?
Note that server certificates are relatively widespread, hence my
suggestion to adopt TLS as an alternative security mechanism in
addition to HBA.
It would be helpful to determine whether we as a wg want this or not.
Obviously it's also possible to use IPsec rather than TLS but I don't
see how this would benefit us greatly and IPsec has proven hard to
deploy until now.