[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Key Managment Query/Comments...
> Frank Kastenholz says:
> > The reason is simple. The purpose of the SNMP is to detect, diagnose,
> > and fix network failures. If the key-distribution-protocol fails, how
> > can SNMP be used to detect, diagnose, and fix the key-distribution
> > protocol? Similarly, if the SNMP manager/agent can not reach a
> > key-distribution server to, e.g., validate keys or tickets or whatever,
> > then SNMP can not be used to fix other things as well.
>
> It can't if it hasn't prefetched the public keys, but it can easily
> get them while the network is still functioning and hold on to them,
> thus providing it with the keys for those periods when it ceases to
> function. Most SNMP management systems tend to poll the same machines
> over and over again, so holding on to them is no big deal.
Assuming that the non-SNMP mechanism used to pre-fetch the keys is
working. And, of course, what happens if a key "times out" during the
problem period?
Plus there is the cost issue -- if I run some key-distribution system
then I need to set up and control another software package, perhaps on a
machine that is different than the SNMP manager... I've discovered that
commercial sites tend to prefer having as few vendors as possible --
makes it easier to track down and fix problems (i.e. it is harder to
blame someone else if there are fewer someone-elses :-)
And of course, what if I am not running in a TCP/IP environment? SNMP
works over non-TCP/IP protocols (raw ethernet, novell, decnet, osi, sna
-- i believe -- and so on). If I were to use something like Kerberos for
key management/distribution, then I'd need to get Kerberos over the same
thing as SNMP is running....
--
Frank Kastenholz
FTP Software
2 High Street
North Andover, Mass. USA 01845
(508)685-4000
Follow-Ups: