[Hipsec-rg] 答复: Key Revocation Issue

swb at employees.org (Scott Brim) Thu, 22 January 2009 13:29 UTC

From: "swb at employees.org"
Date: Thu, 22 Jan 2009 08:29:50 -0500
Subject: [Hipsec-rg] 答复: Key Revocation Issue
In-Reply-To: <002001c97c3b$255a9d60$480c6f0a@china.huawei.com>
References: <alpine.LFD.2.00.0901211720370.17180@stargazer.pc.infrahip.net> <002001c97c3b$255a9d60$480c6f0a@china.huawei.com>
Message-ID: <20090122132950.GA1342@cisco.com>

Excerpts from Zhang Dacheng on Thu, Jan 22, 2009 10:43:02AM +0800:
> I agree that it is an intuitive solution to solve the key revocation issue
> with DNS. However, my concern is whether it is reasonable for us to assume
> that every host has a FQDN. If yes, the importance of HIP is largely
> weakened. We can use FQDN rather than HI to achieve the separation of ID
> from Locator. 

As far as I can see this isn't true.  Different "identification"
functions have different needs.  You can use a FQDN as an identifier
for initial discovery of a location, but you cannot use it for session
authentication or control.  To start with you would be subject to
man-in-the-middle attacks.