[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key distribution

To: dee@skidrow.lkg.dec.com
Subject: Re: key distribution
From: atkinson@itd.nrl.navy.mil (Ran Atkinson)
Date: Wed, 13 Oct 93 10:50:42 EDT
Cc: ipsec@ans.net


	Donald's suggestion is worth considering and is intriguing in
that it implicitly proposes reusing the key certificate technology
used in PEM.

	I myself lean more towards using the DNS to store host key
CERTIFICATES (emphasis added to avoid being flamed).  I proposed this
recently on the Namedroppers list and there was some discussion about
it for a while.  One person on that list indicated there might be an
MTU problem with key certificates (for some key sizes) with the DNS
approach.  I'm recently told that the commercial world seems to be
using key sizes in the 1K bits range [separate email messages from
Steve Bellovin, Neil Haller, et. al.].  It seems likely that we will
eventually wish to have larger key sizes.  I have no idea over what
time span that will occur, but we should avoid boxing ourselves in
unduly.

	Presently, we will have a reasonable key certificate
infrastructure, thanks entirely to the PEM folks.  I would suggest
that we consider reusing that infrastructure for host keys.  Then some
published session key mgmt protocol could use those host keys (from
the host key certificates) to agree upon and distribute a suitable
session key for use by the IP security protocol among the hosts
participating in the session.

	I would suggest that the session key mgmt protocol have its
own transport-level port number assigned to it and also that there be
a 'version number' or 'key mgmt protocol identifier' assigned so that
the session key mgmt protocol could be revised later if a flaw were
found and also so that we could potentially support more than one
session key mgmt protocol (e.g. one for multicast sessions and one for
unicast sessions if a significant advance should be made in multicast
key mgmt protocols in the published literature).

	I'm not sure that perhaps we are leaping ahead of ourselves
here by doing key management before we have the encapsulating security
protocol figured out somewhat, but I'll go along with whatever the list
consensus is on which order to address topics.

Ran
atkinson@itd.nrl.navy.mil

Follow-Ups:

Re: key distribution

From: "Perry E. Metzger" <pmetzger@lehman.com>

Prev by Date: key distribution
Next by Date: Re: Key Managment Query/Comments...
Prev by thread: key distribution
Next by thread: Re: key distribution
Index(es):
- Main
- Thread