[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE Public Key Encryption

To: Henry Spencer <henry@spsystems.net>
Subject: Re: IKE Public Key Encryption
From: Jim Tiller <jtiller@lucent.com>
Date: Wed, 22 Mar 2000 08:48:16 -0500
CC: IP Security List <ipsec@lists.tislabs.com>
In-reply-To: <Pine.BSI.3.91.1000321130514.6028A-100000@spsystems.net>
Organization: Lucent
References: <Pine.BSI.3.91.1000321130514.6028A-100000@spsystems.net>
Reply-To: Jim Tiller <jtiller@lucent.com>
Sender: owner-ipsec@lists.tislabs.com

Hello Henry,

First of all, thanks for brining me back on-line - your right, not all
public keys are based on certificates.

HS> Only if there is a well-defined convention for what it means in the case
HS> where no certificates are involved, or if the mandatory-ness is only in
HS> the certificate case.  One major reason for making things optional is so
HS> they can be omitted when they do not make sense.

I think making it mandatory for certs and not other methods would be
odd and overly complicated. I'm beginning to see a pattern:

Should the public key (cert or key its self, preferably), that is used
for the encryption by the initiator, be hashed and included in the third
message?

This would allow the responder to know exactly which was used by the
initiator, protect the identity, and pose no threat to security.
Whatta ya think?

-jim

Follow-Ups:

Re: IKE Public Key Encryption

From: Henry Spencer <henry@spsystems.net>

References:

Re: IKE Public Key Encryption

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: Announcing X-Bone VPN/overlay software release
Next by Date: Re: IKE Public Key Encryption
Prev by thread: Re: IKE Public Key Encryption
Next by thread: Re: IKE Public Key Encryption
Index(es):
- Main
- Thread