[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[anonsec] what I call leap-of-faith

From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Thu, 23 Mar 2006 11:46:21 -0600
In-reply-to: <v0wteosrpq.fsf at marajade.sandelman.ca>
References: <v0wteosrpq.fsf at marajade.sandelman.ca>

On Mon, Mar 20, 2006 at 03:59:13PM -0600, Michael Richardson wrote:
> 
> When you SSH to a host the server sends it's public key inline.
[...]

Note that this is a very application-centric view of LoF.

And maybe that's what we can do in this context through use of
connection-latching and IPsec APIs.  That is, let the app get peer IDs,
channel bindings, out of latched connections and then perform LoF at the
application layer.

Doing LoF at the IPsec layer gets us into all those issues we talked
about.

Note too that, given APIs to manipulate the IPsec DBs (PAD, SPD, SADB)
applications could apply LoF not only at the app layer, but also enforce
it in the PAD by creating PAD entries that bind BTNS publickey IDs and
node addresses, though I wouldn't recommend it.

Nico
--

Follow-Ups:
- [anonsec] what I call leap-of-faith
  - From: Stephen Kent

References:
- [anonsec] what I call leap-of-faith
  - From: Michael Richardson

Prev by Date: [anonsec] what I call leap-of-faith
Next by Date: [anonsec] Your message to ANONSEC awaits moderator approval
Previous by thread: [anonsec] what I call leap-of-faith
Next by thread: [anonsec] what I call leap-of-faith
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.