IETF Logo Mail Archive

[Hipsec-rg] 答复: Hierarchical HITs

shengjiang at huawei.com (Sheng Jiang) Fri, 16 January 2009 22:15 UTC

From: "shengjiang at huawei.com"
Date: Sat, 17 Jan 2009 06:15:42 +0800
Subject: [Hipsec-rg] 答复: Hierarchical HITs
In-Reply-To: <49717246.2060004@laposte.net>
References: <f832f99e32cca.32ccaf832f99e@huawei.com> <alpine.LFD.2.00.0901152346540.17180@stargazer.pc.infrahip.net> <1CC9CAD8FB744ADA82C9A6F4C2AC8B03@JiangXiong> <49715DE2.9010603@laposte.net> <D8E864423971478CBA743BECAE60EB4E@JiangXiong> <49717246.2060004@laposte.net>
Message-ID: <5727D3BB8C774649A5AC98E897EABB1C@JiangXiong>

> This is exactly the point; If a HHIT has the limitation that:
> 
> - it is bound with one entity in the hierarchy compared to a plain HIT
> (like a DNS name is)
> 
> - is not human readable compared to a DNS name (like a HIT is)
> 
> Then why should I use a HHIT as a host identifier? I'm getting all of
> the disadvantages of HIT (not readable) or DNS name (bound to an entity
> in the hierarchy) but none of their respective advantages, i.e., not
> being bound to an entity, or being readble...

I don't think bound to an entity in the hierarchy is a disadvantage at all.
As I explained earlier, a self-issued identity means little. Will any
country allow entrance of a man whose identity card is issued by himself
only? Will BT give services access to a host/device that has its own
arbitrary identity? With hierarchy, the identifier can actually have real
meaning.

If you are considering privacy issues, yes, we don't want the hierarchy
information to be learned by receivers. Then our proposed HHIT architecture
is also compatible with the flat-structured HIT architecture.

By using the HHIT, we get a self-certified identity, itself and its
belonging (hierarchy) can be easily verified by receivers.

Cheers,


Sheng

v2.23.0 | Report a Bug | By Email