RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

[Pekka Savola <pekkas@netcore.fi>]

On Wed, 19 Jul 2006, Bound, Jim wrote:
> I don't think we can ever require that and nor have we in any spec. 
> Preshared keys work but the point is that is a market decision not 
> an IETF decision.  We build the protocols with operational guidance 
> in some cases whether or how they are used in the market is a red 
> herring for our work to keep moving forward.  We are more like 
> scientists not marketing and business people.

Exactly.  Which is why we should move ahead without IPsec and PKI 
requirement.

This debate seems pretty much like a recap of MIPv6 route optimization 
security discussions about 5 or so years ago.  IPsec and PKI were 
deemed insufficient _in practice_, for _the general solution_, and I 
don't think the situation has changed in a significant way.

I don't think no one is disputing that IPsec and PKI could be useful 
in some contexts where PKI has already been deployed.  If folks think 
this is a sufficiently useful scenario, maybe it would be worth 
specifying in an optional shim6 extension.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings