The name of this list is now officially:
apps-discuss <at> ietf.org
This can be confirmed with the trailer at the bottom and the
List-ID: header.
I have addressed the message to the old email address so as to
confirm that backwards compatibility is present.
Enjoy,
Jim
On Thu, Feb 28, 2008 at 02:41:22PM +0100, Jeroen Massar <jeroen <at> unfix.org> wrote a message of 54 lines which said: > One should identify the *service* ... > SSH Keys are a good example of this, they identify the SSH > service. You can find that service on IPv4 port 22 and IPv6 port 22, > maybe on different other IP addresses or other port numbers. OK, if one remembers that a machine can host several services (as in your SSH example) but also that several machines can together host a service (for instance a cluster where the sysadmin installs the same SSH key to all members of the cluster so you can "slogin thecluster.example.net" without having to confirm the host key each time a new member is added).
On Thu, Feb 28, 2008 at 05:38:46PM +0100, Jeroen Massar <jeroen <at> unfix.org> wrote a message of 39 lines which said: > As such, SSH-keys, HIP and OpenPGP are items you can use already for > this, the latter already has trust built in thus seems suitable for > your use. Yes, all three of them fill my requirments. The problem is that they are not "standard" (for some definition of standard). You can not rely on them being present in OS libraries, you do not have a specification separated from the specific usage they were made for, etc. Thought experiment: if SSH did not exist (but HIP and PGP do) and you were to create the protocol and write a RFC describing SSH. What would you use for host keys? Copy-and-paste from HIP RFCs? Using OpenPGP keys as they are with a normative reference to RFC 4880?
On Thu, Feb 28, 2008 at 09:32:52AM -0800, Dave Crocker <dhc <at> dcrocker.net> wrote a message of 28 lines which said: > The requirements you have provided mean that there must be a global, > persistent registration service. No, I do not think so. Identifiers locally generated, at random, in a large space (like SSH or OpenPGP keys or HIP Host Identifiers) are OK. Besides the small risk of accidental collision, their main problem is that you cannot prevent an entity to have as many identities as it wishes. But it is exactly the same with domain names.
[ Merging threads :) ] Stephane Bortzmeyer wrote: > On Thu, Feb 28, 2008 at 02:41:22PM +0100, > Jeroen Massar <jeroen <at> unfix.org> wrote > a message of 54 lines which said: > >> One should identify the *service* > ... >> SSH Keys are a good example of this, they identify the SSH >> service. You can find that service on IPv4 port 22 and IPv6 port 22, >> maybe on different other IP addresses or other port numbers. > > OK, if one remembers that a machine can host several services (as in > your SSH example) but also that several machines can together host a > service (for instance a cluster where the sysadmin installs the same > SSH key to all members of the cluster so you can "slogin > thecluster.example.net" without having to confirm the host key each > time a new member is added). Of course, as that would, for that setup, be a single service, thus have one identity. This is the same with people who have a home email address, and probably use that to communicate with family and friends, while the work email address is used solely for work. Some people use either of them for both though, thus it depends on what one uses it for in what setup. This allows it to be quite generic though. Stephane Bortzmeyer wrote:(Continue reading)
Stephane Bortzmeyer wrote: > On Thu, Feb 28, 2008 at 09:32:52AM -0800, > Dave Crocker <dhc <at> dcrocker.net> wrote >> The requirements you have provided mean that there must be a global, >> persistent registration service. > > No, I do not think so. Identifiers locally generated, at random, in a > large space (like SSH or OpenPGP keys or HIP Host Identifiers) are > OK. How are you going to do reputation-reporting with transient identitiers? How does the history develop on which a reputation will be based? d/ -- -- Dave Crocker Brandenburg InternetWorking bbiw.net
Jeroen Massar wrote: > DKIM indeed 'comes up' with a pub/priv keypair out of thin air, like > SSH. When you talk to the host again you do know that you are talking to > the same host and not a different one, but they are still anonymous. DKIM uses a registered domain name as its identier. (Indeed, that's where the public key is recorded.) The keypair are used only for the authentication step. Not identification and not authorization or reputation. The registered domain name is used for that. d/ -- -- Dave Crocker Brandenburg InternetWorking bbiw.net
RSS Feed67 | |
|---|---|
210 | |
164 | |
403 | |
68 | |
104 | |
145 | |
231 | |
121 | |
182 | |
85 | |
148 | |
60 | |
89 | |
104 | |
54 | |
80 | |
101 | |
9 | |
140 | |
44 | |
35 | |
86 | |
29 | |
50 | |
69 | |
67 | |
38 | |
91 | |
41 | |
96 | |
134 | |
129 | |
58 | |
121 | |
107 | |
41 | |
75 | |
11 | |
21 | |
7 | |
39 | |
5 | |
44 | |
34 | |
10 | |
31 | |
7 | |
67 | |
66 | |
76 | |
76 | |
66 | |
61 | |
24 | |
23 | |
75 | |
168 | |
2 | |
6 | |
37 | |
47 | |
1 | |
32 | |
22 | |
22 | |
34 | |
5 | |
5 | |
5 | |
7 | |
1 | |
1 | |
3 | |
4 | |
1 | |
21 | |
9 | |
2 | |
8 | |
11 | |
1 | |
5 | |
4 | |
28 | |
2 |
