[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key management



On Dec 12, 19:40, Perry E. Metzger wrote:
Subject: key management

% 1) They lack a specified method for managing separate keys for
%    separate users; this is an articulated requirement for the IPv6
%    case according to the IPng Directorate.

Support for per-user keying is a requirement for IPv6.   Period.
Key Mgmt that does not support per-user keying does not conform to
the IPv6 Security Architecture.

% 2) All but SKIP lack clearly articulated key certificates (and SKIP's
%    seem to be X.509 based, which is probably non-optimal)

IMHO, a key mgmt protocol should permit the use of DNS-supplied keys
(as per Eastlake-Kaufman which is likely to appear as a Proposed
Standard soon) for authentication of the key mgmt process.

% 3) All seem to lack hooks for a user level authentication system,
%    and this deficiency makes producing user level applications
%    difficult to write.

I don't understand what Perry means by this.

A draft IPv6 API for Security Extensions to BSD Sockets is likely to
appear soon as an Internet Draft.  That might be a useful item in
focusing discussion of how applications might use provided security
services for whichever set of people happen to be concerned with that
issue.

Ran
atkinson@itd.nrl.navy.mil






Follow-Ups: References: