On 7/27/12 12:04 PM, Robert Moskowitz wrote:
On 07/27/2012 12:22 PM, Ari Keranen wrote:
Hi Julien,
On 7/6/12 3:37 AM, Julien Laganier wrote:
- 5203bis (registration) can IMHO be republished as is as I haven't
seen any issue with the original version. If people agree I could
republish it and we could WGLC it...
I posted some comments about 5203bis earlier this year but back then
there was no discussion regarding them. So, here goes again.
Some of these have been discussed also earlier on this list (these
relate to requirements discovered with the native NAT traversal draft
[1]), but I'll have them all here for easier reference.
Currently, the registrar has no way of indicating that it would
otherwise accept the registration, but it's currently running low on
resources. For this purpose, a failure type "Insufficient resources"
could be added to the "registration failure types".
Registration using authentication with certificates could be part of
the registration RFC. Currently, only authentication with HI is
defined, but knowing all HIs beforehand is not practical in many cases.
Text in section 3.2. of [1] could be used as a basis for this (just
replace "HIP' data relay" with "registrar"). Also, if this
authentication mode is added to the draft, failure type "Invalid
certificate" should be added for the failure case.
Should we have these in the registration draft?
These are all reasonable. I am more and more looking at HIT
authentication services, but I know the value of certificates in
processes like this, though I keep taking a look at things like ECQV
certs as an alternative to X.509 certs...
Thanks Bob. Frankly, I'm not a big fan of X.509 certs either, so
something else would work for me too. Anyway, something more than "just
knowing HIs" would be useful.
Cheers,
Ari
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
