Hi Mike, Just one clarification:
On 9/26/16 5:41 PM, Michael StJohns wrote: > > With respect to Eliot's comment, it doesn't really matter if the key > management protocol is asymmetric if the multicast session keys are > symmetric and used for control. This doesn't really capture my position which leads me to believe I've muddled it. The key question is whether every transaction needs to be authenticated to a unique device *within this protocol* or is it sufficient that such authentication exists at other layers, e.g., either in content or at lower layers? I recognize that there are some big risks to adding such a dependency, because there is no certainty that implementations will follow that guidance. > The analysis of this can pretty much ignore the key management piece > and start with 100 controllers and 1000 actuators with pre-shared keys > to consider the threat and mitigation models. Which analysis - AFAICT > - no one has actually done. Basically, if you can't secure this > 100/1000 system and keep it secure with respect to control functions, > I would argue that the rest of it (e.g. key management) is meaningless > window dressing. The question in this context again, is whether it all has to happen at this layer? Eliot
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
