[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SIPP and SKIP. 2 subjects.




>From ipsec-request@ans.net Tue Aug  2 11:17:28 1994
>You are assuming people will even necessarily have certificates. I
>think its a good bet that they will, but many people would like to
>extend the use of kerberos on their LANs to do IPSP key
>negotiation. I, for one, have sympathy for this notion, and don't want
>to make it impossible, although I think that in an inter-organization
>application it isn't practical. 

I also have sympathy for this notion (and I dont mean that
sarcastically :-).

I dont believe that in proposing a key-management scheme,
my motivation is to disallow other schemes. I believe the goal
of the IPSP protocol is explicitly to allow different
schemes to be pluggable, and I completely agree with
this goal.

I do believe, however, as you've noted in your messages
and also others have mentioned in the past, that there is 
a tension between generality and interoperability. We
will need to pick specific mechanisms, at some point
in time, and they will be dependent on certain algorithms.

If there is something that we can come up with, in terms
of a specific proposal and software to support that, that
makes it easy to transition from one mechanism to another,
then I am all for it.

Is there a concrete  proposal that exists now,
or that someone is working on, that meets these requirements
of generality? Are you in the process of writing such a
proposal? Any pointers to documents, even in draft form,
would be appreciated.

Ashar.




Follow-Ups: