Re: [Hipsec] Status of WG items

[Ari Keranen <ari.keranen@nomadiclab.com>]

On 7/27/12 12:04 PM, Robert Moskowitz wrote:
>
> On 07/27/2012 12:22 PM, Ari Keranen wrote:
>> Hi Julien,
>>
>> On 7/6/12 3:37 AM, Julien Laganier wrote:
>>> - 5203bis (registration) can IMHO be republished as is as I haven't
>>> seen any issue with the original version. If people agree I could
>>> republish it and we could WGLC it...
>>
>> I posted some comments about 5203bis earlier this year but back then
>> there was no discussion regarding them. So, here goes again.
>>
>> Some of these have been discussed also earlier on this list (these
>> relate to requirements discovered with the native NAT traversal draft
>> [1]), but I'll have them all here for easier reference.
>>
>> Currently, the registrar has no way of indicating that it would
>> otherwise accept the registration, but it's currently running low on
>> resources. For this purpose, a failure type "Insufficient resources"
>> could be added to the "registration failure types".
>>
>> Registration using authentication with certificates could be part of
>> the registration RFC. Currently, only authentication with HI is
>> defined, but knowing all HIs beforehand is not practical in many cases.
>>
>> Text in section 3.2. of [1] could be used as a basis for this (just
>> replace "HIP' data relay" with "registrar"). Also, if this
>> authentication mode is added to the draft, failure type "Invalid
>> certificate" should be added for the failure case.
>>
>> Should we have these in the registration draft?
>
> These are all reasonable. I am more and more looking at HIT
> authentication services, but I know the value of certificates in
> processes like this, though I keep taking a look at things like ECQV
> certs as an alternative to X.509 certs...

Thanks Bob. Frankly, I'm not a big fan of X.509 certs either, so 
something else would work for me too. Anyway, something more than "just 
knowing HIs" would be useful.


Cheers,
Ari