[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC WORKING GROUP LAST CALL
Henry Spencer wrote:
>
> >>> C. The desire to use a public key algorithm.
> >>Use of a public key algorithm is an engineering necessity, not a desire.
> >
> >Here I think we differ on what the secure IP network model should be.
> >I believe that it should be a resource owned by an organization or a
> >company that wants to control access to it and protect their
> >communications...
>
> What of two organizations which wish to limit access to, and protect,
> their inter-organization communications? This is not an imaginary
> example: the auto industry has been pushing IPSEC, because the car
> manufacturers want secure electronic communication with their part
> suppliers. Note that the pattern of trust and non-trust here is complex,
> and probably could not be satisfied by a single key authority or a small
> number of them: many of the companies involved are competitors, and the
> supplier relationship is a complex dynamic directed graph, not a simple
> fixed tree. Any attempt to solve this with private keys ends up inventing
> something vaguely analogous to a public-key system, but more complex and
> with more vulnerabilities.
>
> IPSEC, like IP, is not just for single-organization private networks.
> A *general-purpose* cryptographic security system must use public-key
> technology.
>
In fact, for single-organization networks of larger than, perhaps, a
couple
of nodes, the only workable, acceptable key-management mechanism uses
public-keys. Intercompany/interenterprise is not the only reason
driving technical leaders in the security community towards public-key
mechanisms.
I'll agree with the original poster that the choice of public-key based
algorithms carries with it a not-insignificant computing burden.
Careful operational engineering can alleviate most of those problems.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M86, MS 012, FITZ
Systems Security Architect Phone: (ESN) 393-9145 +1 613
763 9145
Messaging and Security Infrastructure Fax: (ESN) 395-1407 +1 613
765 1407
Nortel Technology mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------
References: