6 Apr 2011 19:02
Re: IETF 80: The future of PKIX certificate enrollment protocols
Paul Hoffman <paul.hoffman <at> vpnc.org>
2011-04-06 17:02:26 GMT
2011-04-06 17:02:26 GMT
On Apr 6, 2011, at 8:22 AM, Stephen Kent wrote: > At 5:34 PM +1200 4/6/11, Peter Gutmann wrote: >> Stephen Kent <kent <at> bbn.com> writes: >> >>> Also, -SRP is informational, which would not be an appropriate downref for a >>> standards track cert management protocol. >> >> -PSK is standards-track. > > I didn't say otherwise. > >> >>> Finally, -SRP seems to focus on one-way (client to server) auth, but cert >>> enrollment requires 2-way auth. >> >> Both -SRP and -PSK provide true mutual auth. In fact they're the only >> mechanisms in TLS that do. > > pre-shared keys/passwords do not scale well, and thus are a questionable basis for other than trivial deployment contexts. I don't consider either to be a > viable basis for what Max is proposing, for that reason. While the "do not scale well" part is true for some scenarios, it is not necessarily correct for enrollment of machine certs. That is, it is perfectly reasonable to have a long preshared key printed on the label on the bottom of the bottom of a hardware system and use that as the preshared key. This scales just fine for certs that will be issued by the hardware manufacturer. --Paul Hoffman _______________________________________________ pkix mailing list pkix <at> ietf.org https://www.ietf.org/mailman/listinfo/pkix
RSS Feed