[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006



I don't agree it is huge deployment obstacle, but if it was it is not our issue here in IETF WG.  Biometric, Smartcards, LinkIDs can all be preshared and associated with enclaves per the other thread on end-to-end PKI.

/jim 

> -----Original Message-----
> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] 
> Sent: Wednesday, July 19, 2006 11:28 AM
> To: Bound, Jim
> Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> 
> 
> El 19/07/2006, a las 16:52, Bound, Jim escribió:
> 
> > Hi Marcello,
> >
> > Well my view is specs cannot make assumptions about market 
> deployment 
> > the question first to ask is would IPsec work.
> 
> i agree with this
> 
> however, it is imho completelly valid to evaluate different 
> solutions based on their deployment costs.
> 
> A solution based on IPSec requires either pre shared keys 
> between all the nodes in the internet or certificates for all 
> the nodes of the internet. This is a huge deployment 
> obstacle. So this solution does present this problem and 
> needs to be taken into account when evaluating different 
> solutions. A solution that does not requires this would 
> require less deployment effort. Of course this is not the 
> only (or even most important) consideration when evaluating 
> alternative solutions but it is indeed an important element 
> imho, do you agree?
> 
> regards, marcelo
> 
> 
> >   None of us have a crystal ball and our engineering work here is 
> > usually focused on the protocol behavior and that it does 
> no harm and 
> > does not cause interoperability problems.
> >
> > /jim
> >
> >> -----Original Message-----
> >> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> >> Sent: Wednesday, July 19, 2006 5:57 AM
> >> To: Bound, Jim
> >> Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> >> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>
> >> Hi Jim,
> >>
> >>
> >> El 11/07/2006, a las 17:25, Bound, Jim escribió:
> >>
> >>> I see this point.  Clearly public or pre-shared PKI has to
> >> exist yes.
> >>> But enclaves of network users will have this association is the 
> >>> assumption.  So if we are not in some enclave we would 
> need to join 
> >>> one to send each other files via IPsec with encrypt.  The
> >> enclaves are
> >>> being built now.
> >>
> >>
> >> As i understand it, the only way to make the shim6 
> security based on 
> >> IPSec is to assume that a global PKI is deployed, including client 
> >> certificates (i.e. not only server
> >> certificates) so that it is possible to secure any-to-any 
> >> communication.
> >>
> >>  From what i understand such global pki is not in place yet and it 
> >> doesn't looks like it will be anytime soon if ever.
> >>
> >> So, i really don't think it is reasonable to build the security on 
> >> the
> >> shim6 relying on such global pki deployment
> >>
> >> does anybody think that it would be acceptable to build the
> >> shim6 security based on the  assumption of a global PKI deployment?
> >>
> >> Regards, marcelo
> >>
> >>
> >>>
> >>> Sorry I missed your point.
> >>>
> >>> /jim
> >>>
> >>>> -----Original Message-----
> >>>> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
> >>>> Sent: Tuesday, July 11, 2006 10:19 AM
> >>>> To: Bound, Jim
> >>>> Cc: Pekka Savola; shim6@psg.com
> >>>> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>>>
> >>>> On 11-jul-2006, at 10:13, Bound, Jim wrote:
> >>>>
> >>>>> IPsec is deployed end-to-end for v4 and v6 in production
> >> not sure I
> >>>>> agree no one knows how to do this and I think I
> >> misunderstood your
> >>>>> statement below?  Thanks.
> >>>>
> >>>> So if I want to send you a file and I want to encrypt it
> >> with IPsec,
> >>>> how do I do that, without making special arrangements first?
> >>>>
> >>>> IPsec is only used for VPN tunnels in practice today.
> >>>>
> >>>
> >>
> >>
> >
> 
>