Key Management, anyone?

[Joe Tardo <tardo@raptor.com>]

What's going on with key management?  Are there key management
mailing lists, perhaps?

Let me stimulate some discussion.

Looking at the ISAKMP drafts, there are a number of inconsistencies
in interpretation, not just what the fields are supposed to mean,
but whether or not you have to even send them.  Example: Auxiliary
SPI's (interpretation depends on DOI, message in sequence, whether
it's a leap year, phase of moon, what else?).

The whole use of DOI's per SA is kind of confusing. What are the 
"mix-and-match" rules? Envelopes? Sound convenient, but then, if
I want to communicate an SPI under negotiation, I have to use one.
But, maybe not (cisco draft), if the SPI value is 0 anyway. The
three flavors of Internet DOI (annex A, Oakley, cisco) clearly
aren't interoperable yet.

Authentication is also kind of messed up. Why does every CA need
a registered number even though all x.509 certificates are self-
describing as to CA and even algorithms? Why does Oakley think
that DNSSEC is ever going to take off? Making something so tentative
mandatory is a shot in the foot. Besides, DNSSEC doesn't solve
the problem (who's going to administer it? what about dhcp or
PPP dynamic addressing?) How does one introduce other certificate
formats, like SPKI, without issuing a new rfc?

All of this is fixable, of course.  Where are these issues being 
discussed?  

Thanks,
Joe

---

Follow-Ups:

• Re: Key Management and DNSSEC
• From: John Gilmore <gnu@toad.com>

---

• Prev by Date: Re: Authentication using ESP in Transport Mode
• Next by Date: Re: Key Management, anyone?
• Prev by thread: No Subject
• Next by thread: Re: Key Management and DNSSEC
• Index(es):
  • Main
  • Thread