[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SKIP re-keying not enough

To: ipsec@ans.net
Subject: SKIP re-keying not enough
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Thu, 23 Feb 95 01:37:19 GMT

> From: ashar@osmosys.incog.com (Ashar Aziz)
> >From: "marcus (m.d.) leech" <mleech@bnr.ca>
> >> At the neither the Toronto, nor the
> >   San Jose meetings, did this issue come up.
>
> Since I was at both meetings, and since I did present the SKIP
> key-management protocol which uses in-band signalled keys at both
> meetings, and since I did give working demos of this kind of
> key-management at both meetings, I can safely say that this
> is not true.
>
Actually, it is quite correct.  The term "in-band" did not arise on the
overhead projector as an item which was a stated _requirement_ of the
protocol.  Nor did it show up in the minutes.

While I thank you for showing us your demo, I do believe that many of
the principles of SKIP were not well received.  Particularly the
key-management distribution, or lack thereof.  What you demonstrated did
not include what might be considered "management", since no management
took place.

I remember standing up and saying that while I found the concept of
relatively rapid key change to be seductive, the management of
initialization and distribution was not well conceived, requires a new
type of certificate not found in current databases, and has other
impediments to deployment.

Photuris uses currently distributed information, is independent of
security transform, and provides perfect forward secrecy.  It can be
re-keyed in 2 minute intervals with current hardware, which is
sufficient.

Bill.Simpson@um.cc.umich.edu

Prev by Date: ICMP use of AH
Next by Date: Photuris re-keying
Prev by thread: ICMP use of AH
Next by thread: Photuris re-keying
Index(es):
- Main
- Thread