[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nodes and Users




"William Allen Simpson" writes:
> > From: "Perry E. Metzger" <perry@piermont.com>
> > Bill has expressed to me in private mail that he thinks that the
> > question of certificates, certificate formats and naming can wait, but
> > frankly I don't think it can because we don't have a usable system
> > without it.
> >
> I firmly disagree.  The _usable_ system is Photuris with names and
> secrets, using only MD5 and DES, which can leverage off the current
> installed base.  This fills exactly the same needs as the AH and ESP
> base requirements.
> 
> As an intermediate step, PGP certificates are likely to be used.

Thats fine, but we have to start looking in to how names and
certificates can plug in. We can even build the architecture to be
extensible so we don't have to make permanent decisions, but we have
to make some. You have to be able to ask who it is you are talking to
and have a meaningful answer or perfect forward secrecy means nothing.

> Waiting for DNS-SIG, X.509 (3 versions), and other certificate
> distribution is not my idea of a usable system.  Maybe in 2001.

I don't think X.509 is viable, but surely we are smart enough to come
up with something that is viable. If we simply punt we don't have a
real deployable system.

Unlike some I don't think this is impossible for us to do and do
quickly. However, it has to be done.

Perry


References: