[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Granularity of authentication in swIPe
I don't have an opinion as to whether swIPe should be "standards
track" or not. We put it forward as an example, to show that
a generally useful security protocol doesn't have to be complex.
I hope it continues to serve in that role. If the grown-ups
want to turn it into a standard, that's OK, too.
I've therefore been loathe to enter this emerging flamewar, but...
smb sez:
>swIPe has a one-byte keyid, which is unacceptable to me. It also has a
>packet sequence number, which is a rather dubious construct that needs
>a *lot* of debate, at the very least.
Actually, it's a two byte keyid.
I agree that the sequence number introduces a number of semantic and
performance issues that need to be discussed. JI and I included it as
a conceptually simple way to thwart replay attacks (which we regard
as an essential semantic in any security service), without a needing
lot of state at either side. Other suggestions welcome...
-matt
References: