[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Modular approach to key management
Russ, I think we are going on a good path of identifying common ground vs.
differences and trying to decide. Let's proceed; I hope others will join this
discussion stating their own views.
To begin, it appears that you agree with the need for a modular approach
with a lower layer that refreshes short-lived keys from a long-lived (`master')
shared key:
>
> Amir:
>
> > 1. Do you agree with the `modular approach' to the problem? Namely, do
> > you see the need and value of having a lower layer mechanism which
> > refreshes the keys in an efficient and fault-tolerant manner on top
> > of IP, whose input is a shared long-lived key from some higher layer
> > mechanism? This is one critical design issue we need to get resolved.
>
> Yes, modular is good.
But then, we may differ on the requirements, design and function of this
lower layer.
> No, the "lower layer" does not have to be at the IP
> layer. X9.17 includes a three tier key management approach that meets the
> modular idea, but all of the key management is done at the application
> layer. I think that key management should be done in the application
> layer, not IP.
>
Let me clarify I also think the lower layer could be an application.
However I suggest we use an application over UDP for two
reasons: efficiency and minimizing the requirements (as we hope that the
key management for IP would be implemented in routers etc.).
Do you agree?
What do you consider as the most detailed existing specification of this lower
layer? As I've explained before, we've been looking into the standards you
mentioned, and found only abstract descriptions to which we believe our
proposal corresponds. Maybe there are newer versions. I'll appreciate if you
can point us to them; we certainly would like to use whatever exists.
Best, Amir
Follow-Ups:
References: