Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 19-jul-2006, at 11:57, marcelo bagnulo braun wrote:

> As i understand it, the only way to make the shim6 security based  
> on IPSec is to assume that a global PKI is deployed, including  
> client certificates (i.e. not only server certificates) so that it  
> is possible to secure any-to-any communication.

> From what i understand such global pki is not in place yet and it  
> doesn't looks like it will be anytime soon if ever. So, i really  
> don't think it is reasonable to build the security on the shim6  
> relying on such global pki deployment

> does anybody think that it would be acceptable to build the shim6  
> security based on the  assumption of a global PKI deployment?

Note that server certificates are relatively widespread, hence my  
suggestion to adopt TLS as an alternative security mechanism in  
addition to HBA.

It would be helpful to determine whether we as a wg want this or not.

Obviously it's also possible to use IPsec rather than TLS but I don't  
see how this would benefit us greatly and IPsec has proven hard to  
deploy until now.