-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's a summary of what I understand so far; please post corrections. 1. leap of faith = accepting an unauthenticated certificate this refers to the FIRST accept of that certificate SSH servers do this automatically for client certificates, e.g. SSH clients typically ask users to verify certificates that otherwise cannot be authenticated in-band; this *assumes* out-of-band authentication of the certificate. One can consider users who blindly 'accept' those certificates to be performing a similar 'leap of faith' at the user level, though. 2. caching previously 'trusted' (authenticated or LOF assumed) keys for future use is NOT LOF there is no new leap taken this establishes continuity to _avoid_ a second LOF for the same certificate I was reminded that such caching is irrelevant to IKE, i.e., that keys need not be cached to prevent hijacking, since SAs can be torn down only if the child of a parent SA (can anyone confirm?). Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEKDq/E5f5cImnZrsRAr6gAJ9pRiAMiVVansoF7hpHXjh7Ni5YtACfZhDH oh3GKqMshIitrDffxZcCCKs= =UytH -----END PGP SIGNATURE-----
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.