> I agree that making PKI a MUST requirement would probably be > a mistake, but if it turns out that enterprises do not allow > their intranet servers to access the internet and if making a > verify request or retrieving a persona-url renders the > homesite vulnerable to a DoS attack then it may be worth > considering PKI as an optional part of the specification.
I don't think that the design is far enough advanced to know what authentication techniques are required, let alone to throw out an entire class of solutions. IPSEC uses PKI and there is not a major problem. There are certainly ways in which PKI can be applied that should prevent this providing more of a denial of service attack than already exists.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
