See belos ... > On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker <hallam@xxxxxxxxx> > wrote: >> >> No, if you read my book you would see the scheme I am proposing. >> >> The problem with current MAC addresses is that they are not >> trustworthy. That is accepted. If MAC addresses were not trivially >> forged then the existing WiFi scheme would work fine. >> >> ... >> >> Instead every device would have been issued with a device cert to bind >> the MAC address to a public key during manufacture. This is already a >> requirement for cable modems. The cost is of the order of cents per >> device if the certs are installed during manufacture. Maintenance >> costs get much higher as soon as the device has left the factory. I don't see any need for the MAC address to be bound. If the device has a build in cert, you can use that, regardless of what the MAC address is, to authenticate and secure communications. Isn't this provided by 802.1AR-2009? ( Available from http://standards.ieee.org/getieee802/802.1.html ) >> The function of the certificate is to stop the MAC address being >> trivially forged. OK yes, if you design the protocols wrong then you >> can end up with Cisco being able to intercept on the wire traffic. But >> if you do the job right you can prevent interception even if the >> manufacturer defects. >> >> ... >> _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf