[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: >FWD- Re- FYI IPSEC WG C

To: Russ_Housley.McLean_CSD@xerox.com (Russ Housley.McLean CSD), dee@skidrow.ljo.dec.com (Donald E. Eastlake, 3rd), ipsec@ans.net (ip security mailing list)
Subject: Re: >FWD- Re- FYI IPSEC WG C
From: Paul_Lambert@poncho.phx.sectel.mot.com (Paul Lambert)
Date: Mon, 7 Dec 1992 13:49:21 MST

        Reply to:   RE>>FWD: Re: FYI IPSEC WG Ch
Donald,

Do you have a specific change you would like to see made in the charter,
or can your comments be addressed within the scope we have documented?
 
I agree that we need to have some form of *manual* key management for
the initial IPSP draft.  

>>initially support public key based techniques.  Flexibility in the
>>protocol will allow eventual support of Key Distribution Center (KDC -
>>such as Kerberos) and manual distribution approaches.
>
>I'm not sure exacely what is meant the the above but it seems much too
>restrictive to me.  I think of key management as somewhat orthogonal
>to cryptographic algorithm.  Assuming you have some way for parties
>negotiating a "secure" (ie, provides one or more of the 4 services
>listed above) connection to negotiate about the cyrptographic
>algorithm(s) they are going to use, why can't they also negotiate the
>key exchange mechanism?  There is nothing wrong with a generally
>accepted applications level protocol; it would be a good thing.  But
>why would something so much simper (if more cumbersome) like manual
>key distribution, which it seems like you would want to use in
>debugging the "secure" connection mechanism, come later than an
>applications level protocol which would be much more complex (although
>more convenient)?  Why not allow the parties just to say to each other
>that they are assuming manual key distribution as another possibility
>to applications level public key (certificate, DNS, or whatever)?

The manual key management for the initial IPSP release could be simple 
guidelines for setting a local IPSP MIB.  I also believe that the *key
management 
protocol* must also support some signaling to announce the availability of 
manually installed keys.  It is this signaling for manual keys within the
key 
management protocol that is described in the charter.  Manual key
installation 
will be required to demonstrate the initial host-to-host IPSP, but there
will
be no new signaling to support this demonstration.

I would hope that your comments on the draft charter can all be addressed
within
the current scope and that we don't need to wordsmith the charter anymore.


Paul

Prev by Date: RE: Re: Encapsulation vs options
Next by Date: Re: >Final IPSEC Charter
Prev by thread: Re: FWD: RE: Re: IPSEC & ROAD
Next by thread: Re: >FWD- Re- FYI IPSEC WG C
Index(es):
- Main
- Thread