[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Minutes - IETF28
Ran,
I don't think there was concensus on the topic you cited.
Certainly the use of DH followed by RSA (or DSS) certificates has a
number of features, and it is the style of the key exchange adopted by
by the CONS version of NLSP and demonstrated by Jim. However, its
primary benefit relative to straight certificate exchange seems to be
in concealing the DNs of the communicants and in generating a one-time
key that cannot be recovered even if both communicants' private keys
(the complements of the public keys in their certificates) are
disclosed.
The first feature may be of some traffic flow security value,
but its effectiveness may be quite limited in practice (I don't know
if we can really predict) and it is subject to active attacks. The
second feature is nice, but we can get close to it by having each
communicant contribute 1/2 of the bits for the (symmetric)
"association" key, so that BOTH communicant's private keys would have
to be compromised in order to recover the "association" key. The
I think the use of DH to begin the key exchange does add steps
to the process, i.e., fewer exchanges could be effected if the DH
didn't have to be done first. Also, until a few more years pass, use
of DH calls for yet another license (in the U.S.). Finally, I worry a
bit about the slippery slope that might arise, i.e., "let's just do
the DH exchange and not bother with certificates," as an alternative
key management protocol that forgoes authentication.
I don't mean to suggest that the key management protocol we
saw demonstrated and described is a bad proposal. However, I do think
it premature to suggest that there was concensus on adopting it for
IPSEC at this point, given the relatively little discussion and
analysis the proposals have received so far.
Steve
Follow-Ups:
References: