For interconnected domains and whatever, I would rather just use DTLS with relatively shortlived and auto-renewed certs (real-time revocation is hard to do if you are authenticating routing - chicken 'n' egg problem; one alternative is of course some sort of manual blacklisting if you want to go with long-lived certs).
If HNCP is in picture, DNCP trust based consensus model is also an option - with it, (self-signed) certificates can have long lifetime as their usefulness is determined by consensus of nodes -> as long as there's only few compromised nodes, you can blacklist them in real time if you control the rest of the nodes. Cheers, -Markus _______________________________________________ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users