Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
> If I had my wishes, the MASA would be optional, with a local voucher
> store in the registrar as the alternative. But that wasn't the WG
> consensus.So you speak of non-expiring nonceless vouchers with wildcard for the domain owner, that would come with the device? I.e. a bearer voucher/token on a QR code. We decided that such a thing was fraught with issues. So we painted around it, and declared that version out of scope for now, because we didn't think we were smart enough to figure out the security implications of it. (We did this in RFC8366, btw) In particular, we did not think it had a place in the medium to high-value devices that we expect ANIMA ACP BRSKI to deal with. [i.e. routers, VM hosts, NAS boxes... not light bulbs] I think that there are better ways to deal with a bearer voucher, and that a layer of intermediation would help with the issues possible with a bearer token. This may suit "ship and mostly forget" situation, but I also think it's squarely an IoT application, rather than appropriate for BFRs. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
