Re: [resend] Use of DNS to distribute keys

[Russ_Housley.McLean_CSD@xerox.com]

Donald:

>Assume you have an IP security protocol with SAIDs (security
>Association IDs).  Mostly these would be for negotiated TCP like
>exchanges with a session key, etc.  But you should permantently
>allocate some "global" SAIDs to mean a particular algorithm family
>with particular non-negotiated keys such as from DNS.  Note that you
>might even want to use such global SAID authenticated/encrypted
>packects as the initial packets in setting up a negoitated SAID so
>that *none* of your packets are in the clear.

IEEE Std 802.10-1992 defines the Secure Data Exchange (SDE) protocol.  The
SAIDs defined in this standard use the high order bit to to distinguish between
pairwise and multicast security associations.  Personally, I would like to see
this convention adopted everywhere so that one securiy association manager (or
cryptographic key manager) can be used regardless of the lower layer security
protocol that is using the security association.

Russ

---

References:

• Re: [resend] Use of DNS to distribute keys
• From: "Beast (Donald E. Eastlake, 3rd)" <dee@skidrow.lkg.dec.com>

---

• Prev by Date: Re: [resend] Use of DNS to distribute keys
• Next by Date: Re: Use of DNS to distribute keys
• Prev by thread: Re: [resend] Use of DNS to distribute keys
• Next by thread: Re: [resend] Use of DNS to distribute keys
• Index(es):
  • Main
  • Thread