Tom,
...
Steve
Thank you for the comments. I did not say, but my intent was to make
Viktor's statements clearer, easier to comment on, so if he made a
mistake, then my intention was to make the same mistake!
understood
So,yes, I would add a reference for reference identity, such as RFC6125,
and my [ ?] was intended to convey that I thought that this needed
changing, about CAs.
OK.
But on key management, I am not sure I agree with you. Yes, ECDHE
is a part of key management, but I would not think it on its own as
being key management; or put differently, you either have key
management or you do not, so 'authenticated key management'
seems to me .. well, not real. I look in vain for it in RFC2401
or RFC2828.
Key management comes in many flavors. Some KM techniques provide
mutual authentication, some provide 1-way authentication, some provide
group-level auth, and some provide no auth. there also are flavors
of unauthenticated KM, e.g., TOFU/LoF that confirm persistence of
a peer's key material, absent a third-party assertion about identity.
Thus I think it important to note that the IETF has striven to provide
authenticated key management on a large scale, and that has imposed
impediments to use of many of our protocols.
Steve