[dhcwg] Authentication in draft-donley-dhc-cer-id-option?

Ted Lemon <mellon@fugue.com> Sun, 02 March 2014 15:27 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 898BB1A07BA for <dhcwg@ietfa.amsl.com>; Sun, 2 Mar 2014 07:27:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YfjutMvJVAdS for <dhcwg@ietfa.amsl.com>; Sun, 2 Mar 2014 07:27:44 -0800 (PST)
Received: from toccata.fugue.com (toccata.fugue.com [204.152.186.142]) by ietfa.amsl.com (Postfix) with ESMTP id 41EC11A07D8 for <dhcwg@ietf.org>; Sun, 2 Mar 2014 07:27:44 -0800 (PST)
Received: from nat64.meeting.ietf.org (unknown [IPv6:2001:67c:1231:998:e5e4:ff0c:f304:1a25]) by toccata.fugue.com (Postfix) with ESMTPSA id 2CD4E238151B; Sun, 2 Mar 2014 10:27:39 -0500 (EST)
From: Ted Lemon <mellon@fugue.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 02 Mar 2014 15:27:37 +0000
Message-Id: <13D49A57-1F10-42D2-9E7F-9844CFCEF4FA@fugue.com>
To: "<dhcwg@ietf.org>" <dhcwg@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/MIruRlcwdEqWVHtg96t3H2DzVYY
Cc: draft-donley-cer-id-option@tools.ietf.org
Subject: [dhcwg] Authentication in draft-donley-dhc-cer-id-option?
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Mar 2014 15:27:45 -0000

Why does the CER-id option have its own authentication?   There is already an authentication mechanism in RFC3315 that does what your current authentication option does, and there is work being presented at this IETF on how to do public-key authentication as well.   Adding extra keying seems bad, unless the point is to carry that keying downstream from the CER to devices that do not share a link with the CER.   Even so, it's not clear to me that there's any value in this.

It would be helpful to discuss the security model in the introduction.