[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modular approach to key management 11/08/94 19

To: "Housley, Russ" <housley@spyrus.com>, ipsec@ans.net
Subject: Re: Modular approach to key management 11/08/94 19
From: " " <amir@watson.ibm.com>
Date: Mon, 14 Nov 1994 08:38:17 -0500
In-Reply-To: Your message of "Sun, 13 Nov 1994 07:44:55." <9410137847.AA784741495@spysouth.spyrus.com>


Russ, you said:

>
> For IPSP to be widely deployed, automated key management is required.

Agreed!

> By
> postponing the definition of KDC or certificate-based key management to
> establish traffic encryption keys, then the "lower module" is forced to use
> a manual approach.

Or use another key distribution method both ends support - many candidates
exist... Having to agree on the mechanism is not the same as having to agree on
a key (manual key distribution).

However, I agree that it would be much better if we had automated negotiation
of methods i.e. a standard high-level key management alg. The questions are:
1. Should we do a small common module already, without waiting to resolve
the higher layer problem? We believe the answer is YES.
2. How do we solve the higher layer problem? I think there are too many
possibilities rather than too few... You seem to suggest a specific one:

> In the IEEE 802.10c Key Management Protocol, all three forms of key
> management are supported:  KDC, certificate-based, and manual.  Each of
> these techniques can be used to establish a traffic encryption key, then a
> common attribute negotiation technique is used.  I think that IPSEC can
> adopt all of this work with minimal adaptation to the Internet.  By starting
> with IEEE 802.10c, the "upper module" is nearly complete.

We (in particular Juan) tried to learn and re-use IEEE 802.10c as much as we
could. (Juan, you may want to elaborate.) Maybe you (and others) can help the
WG to use more of it - that would be great.

In particular, if it is really so easy to solve the `higher layer' problem
by adopting much of 802.10c, great! We need somebody who understands it
very well (better than us...) to make a contribution.

However, even if we have this contribution, it would still make sense to
have the `lower level' mechanism for short-lived keys, to increase
interoperability and get more products to market quicker.

One factor to remember is that there are many candidates for the higher
layer, including many existing products (e.g. our own NetSP) and emerging
standards such as SHTTP which could be re-used or merged. This is a very
important discussion and we hope to help. But, we believe this WG(s?)
should first provide the lower layer. Even if used with manual key management
by some pairs of partners, it would still help to `stop the bleeding' - and
this is what we were told to do by the IESG.

Best, Amir Herzberg

References:

Re: Modular approach to key management 11/08/94 19

From: "Housley, Russ" <housley@spyrus.com>

Prev by Date: Re: Modular approach to key management
Next by Date: Re: Modular approach to key management
Prev by thread: Re: Modular approach to key management
Next by thread: SKIP and interactive key management
Index(es):
- Main
- Thread