[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: no SKIP/ISAKMP/OAKLEY resolution
At 12:45 PM 9/2/96 +0000, Ashar Aziz wrote:
>> From: Hilarie Orman <ho@earth.hpc.org>
>> The design group attempting to combine SKIP/OAKLEY/ISAKMP into one protocol
>> has been unable to resolve deeply held technical differences of opinion.
>
>Initially, we had hopes of finding a common basis for moving
>forward. However, we discovered soon afterwards that there
>were differences of opinion that we simply could not overcome.
It would be very helpful if these differences of opinion were
documented someplace. Is anyone going to do this?
Thanks,
Joe
= ========================================================= =
Joe Tardo Voice: 415-843-0991
Raptor Systems, Inc.
777 San Antonio Ave. Suite 92 Fax: 617-487-6755
Palo Alto, CA. 94303
= ========================================================= =
Date: Sun, 1 Sep 1996 17:07:56 -0400
From: Hilarie Orman <ho@earth.hpc.org>
Message-Id: <199609012107.RAA15389@earth.hpc.org>
To: David_Wheeler-P26179@email.mot.com
Cc: ipsec@TIS.COM
In-Reply-To: Yourmessage <199608292023.NAA29362@baskerville.CS.Arizona.EDU>
Subject: Re: Everything degenerates to Key Management
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
How far does the group want to go to achieve consensus? One can
easily design a single protocol that meets all the proposed goals for
key management. What seems impossible is convince people that this
all MUST be implemented. For every option there is a contingent that
opposes it, for every option there is a contingent that supports it,
for every subset there is a group that thinks it is too much to implement.
(heavy sigh).
The shopping list is:
sessions, in-line key encrypting keys
sublist for second item above: separate hdr, extensions to ESP/AH hdrs
key determination via PFS or non-PFS
identity protection via PFS or non-PFS
authentication via DH, RSA encryption, RSA signatures, or DSS
(El Gamal hasn't yet been seriously considered)
X.509v3 and DNS KEY/SIG records for PK authentication
certificate inclusion, certificate retrieval
elliptic curve groups
new group definitions via protocol
ISAKMP framework, other framework
(I think that's all)
Agree whole-heartedly on what you want, set a design team to work, good will
follow.
Hilarie Orman
Date: Mon, 2 Sep 1996 18:20:42 -0400
From: Hilarie Orman <ho@earth.hpc.org>
Message-Id: <199609022220.SAA19077@earth.hpc.org>
To: tardo@raptor.com
Cc: ipsec@TIS.COM
In-Reply-To: Yourmessage <199609022204.PAA13732@baskerville.CS.Arizona.EDU>
Subject: Re: no SKIP/ISAKMP/OAKLEY resolution
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
> It would be very helpful if these differences of opinion were
> documented someplace. Is anyone going to do this?
It's not obvious that the differences would be helpful to others; in
any event, the team felt comfortable working privately and there were
no plans to publicize the details of a failure. There's been a great
of public discussion already, and of course, more is coming, so there's
hardly a void of information.
I feel that the shopping list I posted earlier contains the relevant issues,
everyone of which has been addressed by one or more proposed protocols. If
the working group can decide on which ones are essential, which are optional,
then a solution can be quickly found.
Hilarie Orman