Brian, > I think the scenarios are very different. To pay the costs of deploying > CGAs, you have to be worried about threats from interlopers on your > own infrastructure, as I understand things. HBAs deal with threats from > interlopers anywhere between the two ends of the shim6 session. > They're much easier to deploy since they use a nonce instead of > a key pair. I do not think the above is an accurate reflection of the state of affairs. HBA provides a secure binding between two addresses. And only that. CGA provides a secure binding between an address and a key. It is most often applied to, again, show a secure binding between two addresses. But it does provide a more fundamental property; the key can be used to sign statements that are known to come from the "owner" of the address. Neither HBAs or CGAs require any deployment support other than code in the hosts using them. All keys and bindings are created by the hosts themselves. In any case, from Shim6 perspective the security properties of both are very similar. Shim6 supports both CGAs and HBAs within the same generalized CGA format. Eric is right that HBA does not appear to buy much additional value over CGAs. On the other hand, HBAs are very easy to support if you already support CGAs; and some people seem to think shared-key only crypto is helpful. You might disagree with that assessment, but it was the WG's decision. I do not personally feel a need to prevent them for including this support. Jari _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf