[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC WORKING GROUP LAST CALL

To: Henry Spencer <henry@tis.com>, ipsec@tis.com
Subject: Re: IPSEC WORKING GROUP LAST CALL
From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
Date: Thu, 26 Feb 1998 12:23:48 -0500
Organization: Nortel Technology, Messaging and Security Infrastructure
References: <Thu26Feb19981048280500EST%spenford@zoo.toronto.edu>
Sender: owner-ipsec@ex.tis.com

Henry Spencer wrote:
> 
> >>>   C. The desire to use a public key algorithm.
> >>Use of a public key algorithm is an engineering necessity, not a desire.
> >
> >Here I think we differ on what the secure IP network model should be.
> >I believe that it should be a resource owned by an organization or a
> >company that wants to control access to it and protect their
> >communications...
> 
> What of two organizations which wish to limit access to, and protect,
> their inter-organization communications?  This is not an imaginary
> example:  the auto industry has been pushing IPSEC, because the car
> manufacturers want secure electronic communication with their part
> suppliers.  Note that the pattern of trust and non-trust here is complex,
> and probably could not be satisfied by a single key authority or a small
> number of them:  many of the companies involved are competitors, and the
> supplier relationship is a complex dynamic directed graph, not a simple
> fixed tree.  Any attempt to solve this with private keys ends up inventing
> something vaguely analogous to a public-key system, but more complex and
> with more vulnerabilities.
> 
> IPSEC, like IP, is not just for single-organization private networks.
> A *general-purpose* cryptographic security system must use public-key
> technology.
> 
In fact, for single-organization networks of larger than, perhaps, a
couple 
  of nodes, the only workable, acceptable key-management mechanism uses
  public-keys.  Intercompany/interenterprise is not the only reason
  driving technical leaders in the security community towards public-key
  mechanisms.

I'll agree with the original poster that the choice of public-key based
  algorithms carries with it a not-insignificant computing burden.
  Careful operational engineering can alleviate most of those problems.

-- 
----------------------------------------------------------------------
Marcus Leech                             Mail:   Dept 8M86, MS 012, FITZ
Systems Security Architect               Phone: (ESN) 393-9145  +1 613
763 9145
Messaging and Security Infrastructure    Fax:   (ESN) 395-1407  +1 613
765 1407
Nortel Technology              mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------

References:

Re: IPSEC WORKING GROUP LAST CALL

From: Henry Spencer <henry%spenford@zoo.toronto.edu>

Prev by Date: Re: IPSEC WORKING GROUP LAST CALL
Next by Date: RE: IPSec Policy Model draft
Prev by thread: Re: IPSEC WORKING GROUP LAST CALL
Next by thread: Re: IPSEC WORKING GROUP LAST CALL
Index(es):
- Main
- Thread