[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

To: Francis Dupont <Francis.Dupont@point6.net>
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Fri, 21 Jul 2006 18:20:31 +0300
Cc: shim6-wg <shim6@psg.com>, Iljitsch van Beijnum <iljitsch@muada.com>
In-reply-to: <200607211454.k6LEsQBu047393@givry.rennes.enst-bretagne.fr>
References: <200607211454.k6LEsQBu047393@givry.rennes.enst-bretagne.fr>

Hi Francis,

El 21/07/2006, a las 17:54, Francis Dupont escribió:

 In your previous mail you wrote:
yes but the pki for issuing client certificates that bind IPaddresseswith public keys may be significatly different from the oneavailable
   for TLS server certificates.
=> one real world difference is for public TLS servers one is ready topay...
   In particular, the type of verification
that is needed is different since in one case you must verify thatthe
   fqdn contained in the certificate actually belongs to the server,
=> in fact this is not a TLS property but something asks by theapplication
(perhaps through an abstract "secure connection setup").

i think there is a misunderstanding here... by verification i am nottalking about the protocol to perform the verification, but the actualprocess carried on by the Registration authority to verify that the onethat is requesting the certificate actually owns the ip address that itwants to include in the certificate. It is not the protocol perspectivethat i am refering to but the logistic perspective. What is theadministrative procedure to perform such verification. My point is thatyou need to build a different administrative setup to verify theinformation included in this type of certificates...

   while
   in the other case you need to verify that the particular IP address
   belongs to a given person, which imho may be harder (since today

addresses are not assigned as a unit but prefixes are allocated tolirs

   and lirs assign prefixes to end sites and then end sites assign
   addresses to hosts, so the verification of the trust chain may be
   harder imho

=> if you want to stick the prefix delegation with the trust chain
I suggest the RFC 3779 (I can share some code implementing it I did
for a SEND prototype) but it works only for static assignments and
perhaps does not well suit to this particular problem (a reverse
DNSSEC seems better, RFC 3779 was designed for routing protocols).

again, i am not talking about certificate formats but the actualadministrative provedure and agreements that need to be in place toissue this type of certificates and that they are needed to validatethe information included in them



makes sense now?

regards, marcelo

Regards

Francis.Dupont@point6.net

Prev by Date: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by Date: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Previous by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Index(es):
- Date
- Thread