[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec near term work

To: Phil Karn <karn@qualcomm.com>, atkinson@itd.nrl.navy.mil
Subject: Re: IPsec near term work
From: brian@lloyd.com (Brian Lloyd)
Date: Wed, 2 Feb 94 10:24 PST
Cc: ipsec@ans.net

At  0:26 2/2/94 -0800, Phil Karn wrote:
>One of the reasons I've been putting off key management is a (sigh)
>familiar and thorny one to many of us: the public key patents and the
>politics surrounding them. I doubt I'm the only one.
>
>Everybody knows that the only truly practical way to do an IP key
>management protocol is with public key cryptography, but the sorry
>history of PEM isn't much cause for hope. Much of the Internet's
>success comes from its "let a thousand flowers bloom" philosophy, but
>so far those who control RSA haven't seen fit to legitimize this
>approach.
>
>Indeed, what is arguably now the best and most successful Internet
>implementation of RSA (PGP) was done in direct defiance of the patents
>and at considerable personal risk.  A level of risk I would rather not
>assume myself, much less force others to assume.
>
>Will we have to wait until 1997 (when Diffie Hellman expires) or 2000
>(when RSA expires) to do anything with IP security beyond manual
>single-key cryptography? Is anyone willing to tackle this issue?
>
>Phil

We need an IP security protocol (encryption), period.  We need one now even
if it means that we do manual key managment.  Frankly, key managment can be
decoupled from the security protocol itself.  We can at least move forward
and begin experimentation in that area even as we decide what to do about
key management.

Re: key management.  Sometimes you have to dance with the devil.  RSA seems
to have a headlock on the technology; their patents make that pretty
indisputable.  (I know: someone could challenge them in court but my
company isn't going to carry that banner.)  So we define a protocol that
uses RSA public-key technology with a Diffie-Hellman key exchange.  Later
we can go on and define other methods.  Sure this is suboptimal for
everyone but it is a very straightforward solution.  It is the technology
of choice.  

<loud resigned sigh> Maybe we can get out from under the patents and patent
royalties in a couple of years.

Brian Lloyd, President                         Lloyd Internetworking
brian@lloyd.com                                3031 Alhambra Drive
(916) 676-1147 - voice                         Suite 102
(916) 676-3442 - fax                           Cameron Park, CA  95682

Prev by Date: Re: IPsec near term work
Next by Date: Re: IPsec near term work
Prev by thread: Re: IPsec near term work
Next by thread: Re: IPsec near term work
Index(es):
- Main
- Thread