[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: key management
On Dec 12, 19:40, Perry E. Metzger wrote:
Subject: key management
% 1) They lack a specified method for managing separate keys for
% separate users; this is an articulated requirement for the IPv6
% case according to the IPng Directorate.
Support for per-user keying is a requirement for IPv6. Period.
Key Mgmt that does not support per-user keying does not conform to
the IPv6 Security Architecture.
% 2) All but SKIP lack clearly articulated key certificates (and SKIP's
% seem to be X.509 based, which is probably non-optimal)
IMHO, a key mgmt protocol should permit the use of DNS-supplied keys
(as per Eastlake-Kaufman which is likely to appear as a Proposed
Standard soon) for authentication of the key mgmt process.
% 3) All seem to lack hooks for a user level authentication system,
% and this deficiency makes producing user level applications
% difficult to write.
I don't understand what Perry means by this.
A draft IPv6 API for Security Extensions to BSD Sockets is likely to
appear soon as an Internet Draft. That might be a useful item in
focusing discussion of how applications might use provided security
services for whichever set of people happen to be concerned with that
issue.
Ran
atkinson@itd.nrl.navy.mil
Follow-Ups:
References: