Re: Photuris Long-Term Session-Keys

["William Allen Simpson" <bsimpson@morningstar.com>]

> Date: Sun, 19 Nov 1995 21:30:39 -0700
> From: Hilarie Orman <ho@cs.arizona.edu>
> > This should obviate the only "advantage" of SKIP.
>
> What about the ability to communicate over a unidirectional link?
>
This was mentioned in jest?

The SKIP "certificate discovery protocol" [page 42] sends requests to
the node from which it received the SKIP datagram.  That requires
two-way communication.  To quote:

        An optional protocol is described to enable communicating
        IP-nodes to discover each other's certificate(s). This obviates
        the need for an on- line certificate directory server.

Of course, once the certificate is obtained and the shared-secret is
calculated, then one-way is possible.  But that is true of normal IP
Security as well, using Photuris.

Photuris is an automated key management protocol.  Please compare the
key management functions themselves.

Note that certificate management in SKIP is _optional_.  I guess that's
what makes it "simple".

                                ----

While I'm thinking about it, SKIP also allows "intermediate
authentication" at routers.  This, of course, requires manual key setup.
Again, not an automated key management function.

It also requires the sharing of both parties secret keys with all the
routers en route.  Pretty bad security.  I have a tendency to ignore
so-called "security features" which reduce security.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

---

Follow-Ups:

• Re: Photuris Long-Term Session-Keys
• From: markson@osmosys.incog.com (Tom Markson)

---

• Prev by Date: Re: Reporter claiming SKIP...
• Next by Date: Re: WG Last Call for SKIP I-D
• Prev by thread: Re: Photuris Long-Term Session-Keys
• Next by thread: Re: Photuris Long-Term Session-Keys
• Index(es):
  • Main
  • Thread