Re: [btns] rfc 5387

Joe Touch <touch@ISI.EDU> Tue, 05 May 2009 21:42 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB66D3A6B00 for <>; Tue, 5 May 2009 14:42:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.637
X-Spam-Status: No, score=-1.637 tagged_above=-999 required=5 tests=[AWL=0.362, BAYES_00=-2.599, J_CHICKENPOX_12=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dihviO5PJRZs for <>; Tue, 5 May 2009 14:42:37 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 05FB73A6D95 for <>; Tue, 5 May 2009 14:42:37 -0700 (PDT)
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id n45LhGe2023786; Tue, 5 May 2009 14:43:18 -0700 (PDT)
Message-ID: <>
Date: Tue, 05 May 2009 14:43:16 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090302)
MIME-Version: 1.0
To: Nicolas Williams <>
References: <> <> <> <> <> <> <> <> <> <20090505201529.GP1500@Sun.COM>
In-Reply-To: <20090505201529.GP1500@Sun.COM>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
Cc: Alan Johnston <>,,
Subject: Re: [btns] rfc 5387
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Better-Than-Nothing-Security Working Group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 May 2009 21:42:37 -0000

Hash: SHA1

Adding to Nico's response:

Nicolas Williams wrote:
> On Thu, Apr 23, 2009 at 04:15:59PM -0500, wrote:
>> Hello!  I am a student taking Internet Communications and our class is
>> just finishing up our "security" section and I have a few questions about
>> rfc 5387.
>> -In this RFC it is mentioned that obtaining a security certificate could
>> take a while.  I?ve never had to get one, so how long does it take?  Why
>> would it be necessary to skip?
> That's unfortunate.  The problem isn't how long it takes to get a
> certificate (it could be as little as seconds with an online CA using
> something else for authentication -- think "kca", a kerberized CA), but
> the fact that deploying a PKI is usually difficult for a variety of
> reasones.

What it says is:

   ...Furthermore, obtaining and
   deploying credentials such as certificates signed by certification
   authorities (CA) involves additional protocol and administrative
   actions that may incur significant time and effort to perform.

The time and effort are related to the additional protocol and
administrative actions, i.e., setting up a PKI as Nico suggests above.
It's not just getting the certificate that takes time (it doesn't

>> -From section 4, BTNS protects security associations after they are
>> established by reducing vulnerability to attacks from parties that are not
>> participants in the association.?  Doest this include MitM attacks?
> Yes.

Agreed - *after* the BTNS association is established, it does protect
from further MITM attacks.

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -