Re: [btns] rfc 5387
Joe Touch <touch@ISI.EDU> Tue, 05 May 2009 21:42 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: btns@core3.amsl.com
Delivered-To: btns@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB66D3A6B00 for <btns@core3.amsl.com>; Tue, 5 May 2009 14:42:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.637
X-Spam-Level:
X-Spam-Status: No, score=-1.637 tagged_above=-999 required=5 tests=[AWL=0.362, BAYES_00=-2.599, J_CHICKENPOX_12=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dihviO5PJRZs for <btns@core3.amsl.com>; Tue, 5 May 2009 14:42:37 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 05FB73A6D95 for <btns@ietf.org>; Tue, 5 May 2009 14:42:37 -0700 (PDT)
Received: from [128.9.176.218] (c2-vpn06.isi.edu [128.9.176.218]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n45LhGe2023786; Tue, 5 May 2009 14:43:18 -0700 (PDT)
Message-ID: <4A00B2F4.30009@isi.edu>
Date: Tue, 05 May 2009 14:43:16 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <8ab37b7001d3c3eb657cf4094244ccdc.squirrel@webmail.cec.wustl.edu> <49A4CDFF.3050907@ese.wustl.edu> <4c1c9a1604e5bb3ac960f4dfff3c88e0.squirrel@webmail.cec.wustl.edu> <49C3A0C3.8000303@ese.wustl.edu> <7610b87c95062b678eaf5b91da2e2670.squirrel@webmail.cec.wustl.edu> <49D9EFAC.7010602@ese.wustl.edu> <9568b97276e9e104429445829e257532.squirrel@webmail.cec.wustl.edu> <49ECADDD.9060204@ese.wustl.edu> <023070630846bf76af405743608d413b.squirrel@webmail.cec.wustl.edu> <20090505201529.GP1500@Sun.COM>
In-Reply-To: <20090505201529.GP1500@Sun.COM>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Alan Johnston <alan@ese.wustl.edu>, btns@ietf.org, jb27@cec.wustl.edu
Subject: Re: [btns] rfc 5387
X-BeenThere: btns@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Better-Than-Nothing-Security Working Group discussion list <btns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/btns>
List-Post: <mailto:btns@ietf.org>
List-Help: <mailto:btns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2009 21:42:37 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adding to Nico's response: Nicolas Williams wrote: > On Thu, Apr 23, 2009 at 04:15:59PM -0500, jb27@cec.wustl.edu wrote: >> Hello! I am a student taking Internet Communications and our class is >> just finishing up our "security" section and I have a few questions about >> rfc 5387. >> >> ... >> -In this RFC it is mentioned that obtaining a security certificate could >> take a while. I?ve never had to get one, so how long does it take? Why >> would it be necessary to skip? > > That's unfortunate. The problem isn't how long it takes to get a > certificate (it could be as little as seconds with an online CA using > something else for authentication -- think "kca", a kerberized CA), but > the fact that deploying a PKI is usually difficult for a variety of > reasones. What it says is: ...Furthermore, obtaining and deploying credentials such as certificates signed by certification authorities (CA) involves additional protocol and administrative actions that may incur significant time and effort to perform. The time and effort are related to the additional protocol and administrative actions, i.e., setting up a PKI as Nico suggests above. It's not just getting the certificate that takes time (it doesn't particularly). >> -From section 4, BTNS protects security associations after they are >> established by reducing vulnerability to attacks from parties that are not >> participants in the association.? Doest this include MitM attacks? > > Yes. Agreed - *after* the BTNS association is established, it does protect from further MITM attacks. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoAsvQACgkQE5f5cImnZrslrACg3WxY5d9leCB1bUi1V7wwrGer vd8AniqKtfL1TNYDU05ikdM4A6rK7d7e =4nuR -----END PGP SIGNATURE-----
- [btns] rfc 5387 jb27
- Re: [btns] rfc 5387 Nicolas Williams
- Re: [btns] rfc 5387 Joe Touch
- Re: [btns] rfc 5387 Nicolas Williams