RE: [Geopriv]WGLCondraft-ietf-geopriv-l7-lcp-ps-00(PIDF-LOdigitalsignatures)

From: Brian Rosen ^lt;br@brianrosen.net>
Date: Wed Mar 07 2007 - 14:51:16 EST

We crossed signals. I thought why not just use lbyr instead of lbyv with an
lbyr as a provided-by. Then you do have to dereference at every step.

Including an lbyr as the provided by in a value gets you both the value and
the lbyr. If you have both, then you can indeed use the value to route and
display, and use the reference to validate whenever you want to.

Brian

> -----Original Message-----
> From: Marc Linsner [mailto:mlinsner@cisco.com]
> Sent: Wednesday, March 07, 2007 2:21 PM
> To: 'Brian Rosen'; 'Andrew Newton'
> Cc: geopriv@ietf.org
> Subject: RE: [Geopriv]WGLCondraft-ietf-geopriv-l7-lcp-ps-00(PIDF-
> LOdigitalsignatures)
>
> Brian,
>
> in-line...
>
> >
> > Yes, it works. I don't think it's any better or worse than
> > signing the location value, but the operations required
> > (dereference at every step) is a pain. It's functional.
> > Consider that the TLS operation needs the very same cert that
> > you would use to sign, the crypto operations are roughly
> > similar, and the security is pretty much the same.
>
> Why dereference at every step? If l-by-v is supplied, you only dereference
> the provided-by uri as an 'authentication' of the presented value. IOW,
> use
> the provided-by uri when desired, it's not required. I don't think any
> intermediary routing proxy would need to dereference anything when l-by-v
> is
> supplied. Besides, why is dereferencing l-by-r any bigger pain when
> chasing
> certs?
>
> -Marc-
>
> >
> > Let's look at the cases you seem to care about: enterprise
> > and Marc Linsner's boat-as-access-network.
> >
> > The enterprise can sign a cert or use it's cert to create a
> > TLS connection.
> > To trust it, the cert it uses has to be signed by someone you trust.
> > Signatures have the same characteristics as TLS. If it won't
> > accept a TLS (or only offers digest authentication) then you
> > could be suspicious, although you would proceed.
> >
> > The boat is unlikely to have a cert you trust for either TLS
> > or signing.
> > Best you could do is to verify that the domain is owned by
> > the signer, if the cert was in the DNS.
> >
> > I'd rather have a signed value.
> >
> > Brian
> >

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Wed, 7 Mar 2007 14:51:16 -0500

This archive was generated by hypermail 2.1.8 : Wed Mar 07 2007 - 14:50:08 EST