[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ipsec] FW: Key Recovery



At 12:00 PM 4/9/98 -0700, CJ Gibson wrote:

I would recommend not to touch this approach to Key recovery.  It alters IKE.

Vach Kompella (kompella@us.ibm.com) has a proposal to vendors to use an
ICMP message to the KRC.  This approach is orthogonal to IKE and thus can
be delevoped on a vendor by vendor basis.

>Can anybody out there help us with this issue of Key Recovery ?? Have
>any of you decided to implement this ??
>Thanks in advance,
>					CJ
>
>-----Original Message-----
>From:	CJ Gibson [SMTP:cjgibson@semaphorecom.com]
>Sent:	Thursday, April 09, 1998 11:52 AM
>To:	Margaret Gaynes
>Cc:	cj; Roger Wang
>Subject:	RE: Key Recovery
>
>Reply at bottom of note..
>	-----Original Message-----
>	From:	Margaret Gaynes [SMTP:mgaynes@semaphorecom.com]
>	Sent:	Thursday, April 09, 1998 11:11 AM
>	To:	CJ
>	Cc:	Roger Wang
>	Subject:	Key Recovery
>
>By the end of the year we have to implement Key Recovery using
>the TIS
>RecoverKey tool kit. The way it works is that each encrypted
>packet has
>a Key Recovery Field (KRF) that travels with the encrypted data.
>It is
>the session key and recovery info encrypted with the public RSA
>key of
>the Key Recovery Center (KRC). If the key needs to be recovered,
>it can
>only be done with the private key of the KRC. You have to prove
>to the
>KRC with a subpoena or whatever that you are entitled to the data. 
>For FR and SMDS adding this data to the packet is no problem
>because we
>control the packet contents. However, how does this fit in with
>IPSEC
>and IKE? 
>Is there an IKE option that says "TIS key recovery" packet format?
>
>
>
>Not that I know of.  I'll send this out on the IPSEC list to see what
>others are doing...
>--CJ
>
Robert Moskowitz
International Computer Security Association
	(248) 968-9809
Fax:	(248) 968-2824
rgm@icsa.net




Follow-Ups: References: