Hi Ekr,
Eric Rescorla wrote:
At Sat, 24 Nov 2007 23:23:58 +0100,
Hannes Tschofenig wrote:
I reviewed the document as well.
I got the impression that CGAs are not really going to see larger
deployment anytime soon.
Well, that may be true, but if that's the rationale for this work
it has a number of implications:
1. It casts severe doubt on any proposed future work on CGAs--such
as the CSI BoF being held in YVR.
I see it differently. The proposed BOF tries to incorporate the fact
that most networks use DHCP for address configuration.
Reflecting deployment facts seems to be reasonable to me.
2. There needs to be some plausible rationale for why HBA won't
suffer the same nondeployment fate as CGA, not just that
HBA has a cooler sounding acronym.
Well. A lot of the mobility work is an investment into the future.
Almost everything done in the area of mobility has been done many, many
years before there was concrete interesting in deploying it.
That said, there are a number of ways to do signature-based
binding other than CGA, so I'm not convinced that !CGA -> HBA.
Maybe.
Getting these protocols deployed is obviously quite difficult.
Nevertheless, I believe that HBA is more likely to see deployment than a
CGA based approach.
HBA seems to be a simple and lightweight alternative (although I am not
convinced about SHIM6 in general).
In what way is HBA any more lightweight than CGA?
Computational overhead.
There are a couple of schemes that use a lot of crypto but couldn't find
a lot of excitement outside the academic world.
Many of the real-world attacks happen at higher layers where you have
more semantic. There, you have other ways to deal with the attacks.
Ciao
Hannes
-Ekr
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf