[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ipsec] FW: Key Recovery
At 12:00 PM 4/9/98 -0700, CJ Gibson wrote:
I would recommend not to touch this approach to Key recovery. It alters IKE.
Vach Kompella (kompella@us.ibm.com) has a proposal to vendors to use an
ICMP message to the KRC. This approach is orthogonal to IKE and thus can
be delevoped on a vendor by vendor basis.
>Can anybody out there help us with this issue of Key Recovery ?? Have
>any of you decided to implement this ??
>Thanks in advance,
> CJ
>
>-----Original Message-----
>From: CJ Gibson [SMTP:cjgibson@semaphorecom.com]
>Sent: Thursday, April 09, 1998 11:52 AM
>To: Margaret Gaynes
>Cc: cj; Roger Wang
>Subject: RE: Key Recovery
>
>Reply at bottom of note..
> -----Original Message-----
> From: Margaret Gaynes [SMTP:mgaynes@semaphorecom.com]
> Sent: Thursday, April 09, 1998 11:11 AM
> To: CJ
> Cc: Roger Wang
> Subject: Key Recovery
>
>By the end of the year we have to implement Key Recovery using
>the TIS
>RecoverKey tool kit. The way it works is that each encrypted
>packet has
>a Key Recovery Field (KRF) that travels with the encrypted data.
>It is
>the session key and recovery info encrypted with the public RSA
>key of
>the Key Recovery Center (KRC). If the key needs to be recovered,
>it can
>only be done with the private key of the KRC. You have to prove
>to the
>KRC with a subpoena or whatever that you are entitled to the data.
>For FR and SMDS adding this data to the packet is no problem
>because we
>control the packet contents. However, how does this fit in with
>IPSEC
>and IKE?
>Is there an IKE option that says "TIS key recovery" packet format?
>
>
>
>Not that I know of. I'll send this out on the IPSEC list to see what
>others are doing...
>--CJ
>
Robert Moskowitz
International Computer Security Association
(248) 968-9809
Fax: (248) 968-2824
rgm@icsa.net
Follow-Ups:
References: