Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication for OSPFv3
"Steven M. Bellovin" <smb@cs.columbia.edu> Fri, 03 October 2008 01:48 UTC
Return-Path: <rpsec-bounces@ietf.org>
X-Original-To: rpsec-archive@megatron.ietf.org
Delivered-To: ietfarch-rpsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E6E13A6B25; Thu, 2 Oct 2008 18:48:54 -0700 (PDT)
X-Original-To: rpsec@core3.amsl.com
Delivered-To: rpsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1EBC53A677D; Thu, 2 Oct 2008 18:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.019
X-Spam-Level:
X-Spam-Status: No, score=-6.019 tagged_above=-999 required=5 tests=[AWL=0.580, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRQ8E4spO+3Z; Thu, 2 Oct 2008 18:48:52 -0700 (PDT)
Received: from machshav.com (machshav.com [198.180.150.44]) by core3.amsl.com (Postfix) with ESMTP id 2767B3A67A4; Thu, 2 Oct 2008 18:48:52 -0700 (PDT)
Received: by machshav.com (Postfix, from userid 512) id 1904BAF69D; Fri, 3 Oct 2008 01:48:55 +0000 (GMT)
Received: from yellowstone.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 701C8AF687; Fri, 3 Oct 2008 01:48:54 +0000 (GMT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by yellowstone.machshav.com (Postfix) with ESMTP id 6662C838722; Thu, 2 Oct 2008 21:48:53 -0400 (EDT)
Date: Thu, 02 Oct 2008 21:48:53 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Sam Hartman <hartmans-ietf@MIT.EDU>
Message-ID: <20081002214853.208a78ff@cs.columbia.edu>
In-Reply-To: <tsliqsdy5yv.fsf@mit.edu>
References: <48D96507.4000207@sri.com> <20080929200231.3E5DD3F443@pecan.tislabs.com> <77ead0ec0809291853t63940339xc826b13cf5515176@mail.gmail.com> <C50382B8-74EB-4157-9043-56CB1D3F8594@cisco.com> <BAD965BE-053F-4296-B0F7-CF0F2C9C0779@redback.com> <tsliqsdy5yv.fsf@mit.edu>
Organization: Columbia University
X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; x86_64--netbsd)
Mime-Version: 1.0
Cc: rpsec@ietf.org, secdir@MIT.EDU, sidr@ietf.org, OSPF List <ospf@ietf.org>, David Ward <dward@cisco.com>, Acee Lindem <acee@redback.com>, Ross Callon <rcallon@juniper.net>
Subject: Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication for OSPFv3
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: rpsec-bounces@ietf.org
Errors-To: rpsec-bounces@ietf.org
On Tue, 30 Sep 2008 12:05:28 -0400 Sam Hartman <hartmans-ietf@MIT.EDU> wrote: > It's certainly true that some people in the room spoke out against > certificates. At least some of the reasons given did not actually > inherently apply to certificates as a whole although they did create > some significant constraints for what would not create operational > problems. > Right. There's a big misconception in the world that using certificates inherently requires a massive, complex infrastructure that's best handled by third parties. In reality, using certificates within an enterprise need be no more complex than handing out or accepting passwords. All you need is a simple wrapper around something like OpenSSL. You don't need formal root certificate ceremonies, you don't need court-certified videographers, you don't need high priests waving incense and anointing the certificate-signer machine with a mixture of cow innards and ground-up prime numbers. (That's what OCSP is about: Offal of Cow Sprinkled with Primes....) Whoever hands out address blocks within the company can sign the certificates -- it's that simple. I sometimes refer to this as the difference between "PKI" and "pki" -- for enterprises, you need the latter. --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www.ietf.org/mailman/listinfo/rpsec
- [RPSEC] Authentication for OSPFv3 Ed Jankiewicz
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… David Ward
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Vishwas Manral
- Re: [RPSEC] Authentication for OSPFv3 Sandy Murphy
- Re: [RPSEC] [sidr] Authentication for OSPFv3 Vishwas Manral
- Re: [RPSEC] [secdir] [sidr] Authentication for OS… Sam Hartman
- Re: [RPSEC] [secdir] [sidr] Authentication for OS… Vishwas Manral
- Re: [RPSEC] [sidr] Authentication for OSPFv3 David Ward
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Acee Lindem
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Vishwas Manral
- Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication… Sam Hartman
- Re: [RPSEC] [Tsvwg] Authentication for OSPFv3 Brian Weis
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Sandy Murphy
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Sandy Murphy
- Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication… Stephen Kent
- Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication… Steven M. Bellovin