On Sun, Mar 19, 2006 at 11:49:46AM -0600, Michael Richardson wrote: > > >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes: > Nicolas> - Nodes that wish to be treated as BTNS nodes by their peers > Nicolas> should generate a self-signed cert with a randomized DN. > > Can you be more specific? Do I have to be? > Nicolas> We did discuss channel bindings, however. Channel bindings do > Nicolas> presume connection latching, which we did not work out in > Nicolas> detail, but nonetheless we think that for SAs authenticated with > Nicolas> public key signatures the channel bindings for latched > Nicolas> connections will be the public key values of the two peers. > > Directly? Or concatenation of hashes of public keys? > What order? No, not directly, a bit of structure may be necessary, and a canonical order is necessary (there can be only two, so let's pick one). > Will we write a single description of a channel binding "blob", or will > this be application defined? We will write a single description in a separate document (most likely). > If there are two connections between peers, such as, in some cases, two NFS > mounts, but certainly if I used channel binding for two SSH connections for > which I had a (probably-non-btns) /32<->/32 tunnel, would both instances see > the same binding data? Most often, yes, but not necessarily. Nico --
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.