[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

key management layering

To: ipsec@ans.net
Subject: key management layering
From: "Perry E. Metzger" <perry@imsi.com>
Date: Wed, 14 Dec 1994 11:32:11 -0500


[this is the second copy of this message; the first appears to have
bounced. I am sorry if you see it more than once.]

Phil Karn says:
> >I believe that many of the given key management protocols are still
> >deficient in so far as 
> 
> Perry's concerns are valid, but they all seem to address what I'd call
> certificate management, as opposed to session key management which is
> what we're really discussing right now. In the tried-and-true
> tradition of the Internet, we've been building IP security bottom-up,
> which I think is the right thing to do.

Your point about the fact that these should be handled in separate
layers is, in my opinion, completely correct. My concern is not that
the key management protocols come with certificate management (or
whatever its called) built in but that they have sufficient hooks that
such systems can be added on top. Some of the mechanisms we have been
presented with thus far (like Photuris) have places where such hooks
can be added. Some do not and indeed may make assumptions that make
such hooks impossible. I am merely pointing out that this is a real
issue and that the hooks have to be thought about in some detail.

Perry

Prev by Date: Re: user keys
Next by Date: Re: randomness & perfect forward (or proactive?) secrecy
Prev by thread: Re: user keys
Next by thread: Re: Diffie-Hellman, IPsec, etc.
Index(es):
- Main
- Thread