Re: Photuris Long-Term Session-Keys

[markson@osmosys.incog.com (Tom Markson)]

> The SKIP "certificate discovery protocol" [page 42] sends requests to
> the node from which it received the SKIP datagram.  That requires
> two-way communication.  To quote:
> 
>         An optional protocol is described to enable communicating
>         IP-nodes to discover each other's certificate(s). This obviates
>         the need for an on- line certificate directory server.
> 
> Of course, once the certificate is obtained and the shared-secret is
> calculated, then one-way is possible.  But that is true of normal IP
> Security as well, using Photuris.

Not exactly.  SKIP public values can be distributed in ways other than 
the Discovery protocol.   One could use floppies, directory services, etc.
Then, the two way isn't needed at all.  

It is more analgous to this:  I need to find your IP address to talk to
you.  I can query a name service, call you on the phone or whatever. Once
I have your ip address, I don't need anything else to start sending you
IP packets.   Think of the Public value like an IP address.  Once I have it,
I don't need any exchanges with you to begin sending encrypted/authenticated
data.

I believe SKIP is the only key management protocol which displays this 
property. 

> Note that certificate management in SKIP is _optional_.  I guess that's
> what makes it "simple".

It's optional because it is a convenient, limited solution to a much 
larger problem of key distribution.

Regards,

--tom

---

Follow-Ups:

• Re: Photuris Long-Term Session-Keys
• From: "Perry E. Metzger" <perry@piermont.com>

References:

• Re: Photuris Long-Term Session-Keys
• From: "William Allen Simpson" <bsimpson@morningstar.com>

---

• Prev by Date: Photuris in Dallas.
• Next by Date: Re: Photuris in Dallas.
• Prev by thread: Re: Photuris Long-Term Session-Keys
• Next by thread: Re: Photuris Long-Term Session-Keys
• Index(es):
  • Main
  • Thread