[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key management

To: perry@imsi.com
Subject: Re: key management
From: Phil Karn <karn@qualcomm.com>
Date: Tue, 13 Dec 1994 21:09:47 -0800
Cc: ipsec@ans.net
In-Reply-To: <9412130040.AA04772@webster.imsi.com> (perry@imsi.com)

>I believe that many of the given key management protocols are still
>deficient in so far as 

Perry's concerns are valid, but they all seem to address what I'd call
certificate management, as opposed to session key management which is
what we're really discussing right now. In the tried-and-true
tradition of the Internet, we've been building IP security bottom-up,
which I think is the right thing to do.

As I said in my talk on Photuris, I assume for now that each end
already has a local trusted list of public keys for authorized users,
along with a policy database stating what the holder of each
corresponding private key will be allowed to do once they prove they
hold it (e.g., puncture a routing firewall, access services on that
particular host, etc).

We can worry about *how* that database gets built later, just as we
put off session key management until we had rough consensus on a
packet encapsulation format. There's something to be said for letting
the concrete harden on your foundation before building the upper
stories...

Phil

Follow-Ups:

Re: key management

From: szabo@netcom.com (Nick Szabo)

References:

key management

From: perry@imsi.com (Perry E. Metzger)

Prev by Date: elliptic crypto
Next by Date: Re: key management
Prev by thread: Re: key management
Next by thread: Re: key management
Index(es):
- Main
- Thread