[ietf-enroll] Some thoughts on ENROLL's direction

[Jari Arkko]

(also resent. sorry if you receive these multiple times...)

Thanks for your response Jesse, I agree with what
you said. Just one issue below:

> Agreed, I think. But doesn't the above assume that something in the
> protocols is asymmetric? Perhaps a symmetric protocol would also
> be possible, and in that case the step would not be needed.
> 
> [JRW] My model is the USB token, or an IR device that can act like one.
> You load the OOB information from one of the devices, move the token to
> the other device, and then download the OOB information from the
> transfer device onto another. The world does not have to adopt my model,
> but that is the one I am using. If you want to design another one, be my
> guest. I don't know how to make the OOB transfer two-way without the
> user running back and forth between the devices.

Oh, I do agree with you about the OOB transfer being
one way. But the rest of your text appeared to be saying
that there has to be a role agreement step in the in-band
protocol to figure out who is the enroller and who is
the enrollee. This is the part that I had some doubts
about. It seems that if your OOB protocol provides keying
material between two devices, the rest of the protocol
(in-band part) might also be symmetric enough so that
no such step is needed. But I guess we need more work
on the protocol details to know whether this is actually
the case. I just didn't want to reserve a protocol component
for the role decision before I was convinced that its really
needed.

The OOB part of the protocol is of course asymmetric.
(But there the question may be whether its the protocol
or the user who decides which way its run.)

--Jari