Kerberos and why I brought it up...

["Perry E. Metzger" <perry@imsi.com>]

Ran Atkinson says:
> As I (probably incompletely) understand Perry's discussion about using
> Kerberos, he is suggesting using Kerberos as one (of several possible)
> way to distribute keys amongst Kerberised systems implementing packet
> encryption.  Where I think things got confusing is that Kerberos
> currently does also provide human-computer I&A as one of its features,
> though perhaps a feature not directly related to implementing packet
> encryption.  Within communities already using Kerberos, it seems to me
> very sensible to reuse the Needham-Schroeder key management technology
> already implemented within Kerberos as a possible way to distribute
> packet encryption keys and related data.

I agree with what you've said in that paragraph, but it isn't quite
what I was getting at.

When all the layers (IPSP, IKMP, some certificate management, etc) are
complete, we should be able to build secure networked distributed
applications from them. My concern was that some of the extant
proposals might not allow us to do that.  I suggested that we use
Kerberos as a functionality benchmark -- if you can't build, say, a
secure telnet on top of our new security protocols, and especially if
we can't build one that is as functional as a kerberos based secure
telnet, then we haven't done our job.

Entity authentication (be that users or servers) is not IPSP's job or
necessarily IKMP's job, but it has to be constructable with the tools
we ultimately provide.

Perry

---

References:

• Human I&A, IPsec, and their non-relationship
• From: Ran Atkinson <atkinson@sundance.itd.nrl.navy.mil>

---

• Prev by Date: Re: Proposal: Perfect forward secrecy a MUST
• Next by Date: Re: Proposal: Perfect forward secrecy a MUST
• Next by thread: Re: IPSEC at Dec IETF
• Index(es):
  • Main
  • Thread