[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG Last Call for SKIP I-D
Received from Phil Karn (responding to Ashar):
>>Secure e-mail protocols, such as PGP, PEM, MOSS, etc. are widely
>>used in the Internet community for encryption purposes, and these provide
>>no perfect forward secrecy.
>
>>If we accept lack of pfs for e-mail, why is it unacceptable for
>>IP? Is encrypted IP data inherently more valuable than encrypted
>>e-mail data?
>
>I "accept" no PFS for email right now only because I have no viable
>alternative. I am increasingly dissatisfied with the lack of PFS
>where it could easily be supported, i.e., in interactive
>communications. I generate a new PGP key pair every year or two at
>considerable inconvenience (look at my signature list!) just to put
>SOME limit on the damage that a compromise could cause.
>
>This is one reason I've made PFS such a priority in Photuris. Still,
>I'll have to accept no PFS when operating in unidirectional
>environments until somebody figures out how to do it.
Let me emphasize this. If I use SKIP in my firewall and its
private key is compromised then *all* traffic in a *very long time*
*from and to* the firewall is immediately exposed.
That not only includes my incoming and outcoming mail, but also the
telnet sessions, the ftp's, etc. etc. etc.
I frankly wonder if Sun's headquaters would "defend" themselves with such a
firewall.
>
>>There is a BIG distinction between central storage of long-term
>>keys (the KDC represents a single "fat target") and decentralized
>>storage of long term keys.
>
>Agree. Still, it's best to not do even this if you don't have to.
>
About the KDC example: even in that case PFS is a great solution. Even a
breaking to the KDC will not compromise my session traffic
if the KDC-provided key used *only* to authenticate a Diffie-Hellman exchange.
Hugo
Follow-Ups: