[anonsec] BTNS updates
Nicolas.Williams at sun.com
Sun Mar 19 14:26:06 PST 2006
On Sun, Mar 19, 2006 at 11:49:46AM -0600, Michael Richardson wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
> Nicolas> - Nodes that wish to be treated as BTNS nodes by their peers
> Nicolas> should generate a self-signed cert with a randomized DN.
> Can you be more specific?
Do I have to be?
> Nicolas> We did discuss channel bindings, however. Channel bindings do
> Nicolas> presume connection latching, which we did not work out in
> Nicolas> detail, but nonetheless we think that for SAs authenticated with
> Nicolas> public key signatures the channel bindings for latched
> Nicolas> connections will be the public key values of the two peers.
> Directly? Or concatenation of hashes of public keys?
> What order?
No, not directly, a bit of structure may be necessary, and a canonical
order is necessary (there can be only two, so let's pick one).
> Will we write a single description of a channel binding "blob", or will
> this be application defined?
We will write a single description in a separate document (most likely).
> If there are two connections between peers, such as, in some cases, two NFS
> mounts, but certainly if I used channel binding for two SSH connections for
> which I had a (probably-non-btns) /32<->/32 tunnel, would both instances see
> the same binding data?
Most often, yes, but not necessarily.
More information about the ANONSEC