RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

["Bound, Jim" <Jim.Bound@hp.com>]

Good points but I would suggest we do not want a default for shim6 that
will not be deployed widely at least for 5 years minimum based soley on
HBA.  Let not create a default and do all security for shim6 as
extension to the base spec.

/jim 

> -----Original Message-----
> From: Pekka Savola [mailto:pekkas@netcore.fi] 
> Sent: Wednesday, July 19, 2006 11:52 AM
> To: Bound, Jim
> Cc: Fiumano, Michael F [NTK]; marcelo bagnulo braun; Francis 
> Dupont; shim6@psg.com; Iljitsch van Beijnum
> Subject: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006 
> 
> On Wed, 19 Jul 2006, Bound, Jim wrote:
> > I don't think we can ever require that and nor have we in any spec. 
> > Preshared keys work but the point is that is a market 
> decision not an 
> > IETF decision.  We build the protocols with operational guidance in 
> > some cases whether or how they are used in the market is a 
> red herring 
> > for our work to keep moving forward.  We are more like 
> scientists not 
> > marketing and business people.
> 
> Exactly.  Which is why we should move ahead without IPsec and 
> PKI requirement.
> 
> This debate seems pretty much like a recap of MIPv6 route 
> optimization security discussions about 5 or so years ago.  
> IPsec and PKI were deemed insufficient _in practice_, for 
> _the general solution_, and I don't think the situation has 
> changed in a significant way.
> 
> I don't think no one is disputing that IPsec and PKI could be 
> useful in some contexts where PKI has already been deployed.  
> If folks think this is a sufficiently useful scenario, maybe 
> it would be worth specifying in an optional shim6 extension.
> 
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>