[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modular approach to key management 11/08/94 19

To: garay@watson.ibm.com
Subject: Re: Modular approach to key management 11/08/94 19
From: "Housley, Russ" <housley@spyrus.com>
Date: Sun, 13 Nov 94 07:44:55
Cc: ipsec@ans.net
Encoding: 2531 Text

______________________________ Reply Separator _________________________________
Subject: Modular approach to key management   11/08/94         19:22:
Author:  "Juan A. Garay ((914) 784-6852)" <garay@watson.ibm.com> at internet
Date:    11/9/94 5:26 PM

Reference:  Your note of Tue, 08 Nov 94 19:22:22

First, Juan A. Garay Said:

     Our proposal doesn't force a user to use the "lower" module, thru
     which short-lived keys are derived . However, distributing keys thru   
     the means mentioned above is more expensive, and we believe ipsec has  
     to provide a more modular and efficient option. Our proposal
     accommodates this situation.

I replied:

    But, the proposal suggests that we start by standardizing the lower 
    module.  In my opinion, the upper module is the one that needs our 
    attention. The upper module is the one that uses key 
    distribution centers, certificate-based key management, or manual 
    key management.

Then Juan said:

    we are not proposing to forget about the upper module but, rather, 
    follow a "first things first" approach. We believe that there are 
    *very* convincing reasons (security and efficiency - need for
    frequent key updates; deployment and interoperability - support the 
    variety of existing key distribution technologies. and it's
    fundamental to have a common module!; methodological; etc.) to do 
    the lower module first and get us going.

My reply to this:

For IPSP to be widely deployed, automated key management is required.  By 
postponing the definition of KDC or certificate-based key management to 
establish traffic encryption keys, then the "lower module" is forced to use 
a manual approach.  While manual key management has its uses, I do not 
think that manual key management will facilitate the deployment of IPSP in 
the Internet.

In the IEEE 802.10c Key Management Protocol, all three forms of key 
management are supported:  KDC, certificate-based, and manual.  Each of 
these techniques can be used to establish a traffic encryption key, then a 
common attribute negotiation technique is used.  I think that IPSEC can 
adopt all of this work with minimal adaption to the Internet.  By starting 
with IEEE 802.10c, the "upper module" is nearly complete.  All that remains 
is to define the syntax for negotiation of IPSP attributes.

In my opinion, IEEE 802.10c offers the shortest time to market solution for 
IPSP key management.

Russ

Follow-Ups:

Re: Modular approach to key management 11/08/94 19

From: " " <amir@watson.ibm.com>

Prev by Date: Re: On SKIP and non-interactive key management
Next by Date: Re: Modular approach to key management
Prev by thread: What should we do first
Next by thread: Re: Modular approach to key management
Index(es):
- Main
- Thread