Re: >>FWD- Re- FYI IPSEC WG

["Beast (Donald E. Eastlake, 3rd)" <dee@skidrow.pa.dec.com>]

From:  Paul_Lambert@poncho.phx.sectel.mot.com (Paul Lambert)
To:  dee@skidrow.ljo.dec.com (dee), ipsec@ans.net (ip security mailing list)
>>If the current charter is interpreted broadly, and this "application
>>level" key management protocol can be interpreted to allow
>>consideration of DNS retrieval of public keys or agreement via a new
>>protocol number (or with new ICMPs) to either use manual key
>>distribution or securely exchange sessions keys and the like, then I
>>guess I can live with the charter.  This means I assume that I can
>>submit a proposal which includes the possibility of host A sending a
>>datagram to host B which is marked as authenticated using a public key
>>retrievable from the DNS and the proposal will not be rejected merely
>>on the grounds that it is outside the charter.
>>Donald
>
>Our charter is open for broad interpretation, but our schedule is quite
>tight.  If your key management proposals are rejected it will be for
>technical reasons and not because of the charter.  Your text above seems to
>imply several distinct approaches.  Our goal is to define a single key
>management protocol to support the IPSP.

I gather then that the answer to my question is yes.  I really meant
DNS key retrieval to be an example of the type of thing that I did not
want ruled out by the words "application level key management
protocol".

My understanding is that the "key managmenet protocol" is already
assumed to include some way to say that the parties should use
manually distributed keys as well as some second type of agreement,
such as certificates.  So two possibilities are already encompassed.

>While I have argued in previous postings to keep key management in the IPSEC
>charter, this does not mean that we will be able to define the ultimate key
>management protocol to meet every personUs whim.  As previously suggested on
[trivial aside:  you really should use some software that translates
Macintosh characters to equivalent USASCII or something...]
>this mail list, if we identify a need for such a protocol, it would belong
>in a new working group.

I would urge the strong resistence of any attempt to define "the
ultimate" anything, in this working group or any other.  The success
of the Internet has to a great extent come from focusing efforts on
getting something simple working in a timely fashion to meet most
needs.  I think the IPSP should be grounded in the real requirements,
current and anticipated, of the Internet and not based on anyone's
whim nor be a copy of an OSI protocol just because the OSI protocol is
an OSI standard.

It seems to me that there are needs in the Internet for efficient secure
"connections" at the IP level as well as for at least authenticated
isolated datagrams.  While I think the secured datagram formats could
be identical for these two cases, the key management requirments are
different.

>The relationship between the ipsec mechanisms (key management and IPSP) and
>the DNS needs to be examined very closely.  Your proposal to use public keys

Why does the relationship with DNS need to be examined more carefully
than other aspecst of IPSP?  It sounds a bit like you are just setting
things up, even at this early stage, to say that anything other than a
NLSP clone with key certificates needs further study and should be
pushed aside.

>retrievable from the DNS represents just one of several ways that this
>information could be distributed.  If we are to compare these proposals we
>need to start with some basic requirements and criteria for key management.

Sounds like a good idea.

>Paul

Donald

---

• Prev by Date: Re: FYI IPSEC WG
• Next by Date: foot extraction
• Prev by thread: Re: FYI IPSEC WG
• Next by thread: foot extraction
• Index(es):
  • Main
  • Thread