[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: photuris-06.txt
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
I'd like to make a few assertions in the name of forward progress:
Assertion 1:
- The current Photuris draft is not adequate for systems which
support multiple cryptographic identities and which *attempt* to
segregate users from each other.
Assertion 2:
- The text in the current drafts regarding MLS systems encourages
people to *think* that assertion 1 may be false until after they spend
considerable time attempting to work out scenarios for using Photuris
and IPSec within networks of multi-user systems. This has led to a
fair amount of thrashing about on this list and in private mail.
Assertion 3:
- I don't see this limitation as a fundamental limit of photuris; I
think that some relatively *MINOR* adjustments and extensions can be
made to the protocol to securely support multi-user systems. Most
likely, these adjustments would come in the form of additional
attributes.
Suggestion:
- The current photuris draft should admit that Photuris as currently
specified is only adequate for systems supporting a single
cryptographic entity at a time; this entity could viewed as either a
"host" or a "user".
- Defer work on multi-cryptographic-entity systems to a separate
draft, to be titled something like "extensions to photuris for multi-user
systems".
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBMJjka1pj/0M1dMJ/AQHv+gP9HkgCRJVGK4tmHijNiJsuMBTJhSPQy6XV
qLQNGVIspBEqdHErDh08zw6zCimu6NCqr+CQ1dfpmU5qjoeJAI9f/Sp+iXSnFfCc
ASflGF97BQrFVfWqWUy+5qj5YOXqLUQC1IdaLMR4D0zjfE2rrq+U5lKARdqpzxlk
uGlZrgZGo78=
=wTuF
-----END PGP SIGNATURE-----
References: