[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: >>FWD- Re- FYI IPSEC WG



        Reply to:   RE>>>FWD- Re- FYI IPSEC WG C



>If the current charter is interpreted broadly, and this "application
>level" key management protocol can be interpreted to allow
>consideration of DNS retrieval of public keys or agreement via a new
>protocol number (or with new ICMPs) to either use manual key
>distribution or securely exchange sessions keys and the like, then I
>guess I can live with the charter.  This means I assume that I can
>submit a proposal which includes the possibility of host A sending a
>datagram to host B which is marked as authenticated using a public key
>retrievable from the DNS and the proposal will not be rejected merely
>on the grounds that it is outside the charter.
>
>Donald

Our charter is open for broad interpretation, but our schedule is quite
tight.  If your key management proposals are rejected it will be for
technical reasons and not because of the charter.  Your text above seems to
imply several distinct approaches.  Our goal is to define a single key
management protocol to support the IPSP.

While I have argued in previous postings to keep key management in the IPSEC
charter, this does not mean that we will be able to define the ultimate key
management protocol to meet every personUs whim.  As previously suggested on
this mail list, if we identify a need for such a protocol, it would belong
in a new working group.

The relationship between the ipsec mechanisms (key management and IPSP) and
the DNS needs to be examined very closely.  Your proposal to use public keys
retrievable from the DNS represents just one of several ways that this
information could be distributed.  If we are to compare these proposals we
need to start with some basic requirements and criteria for key management.

Paul




Follow-Ups: