[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reliable delete notifies
On Mon, 9 Oct 2000, Henry Spencer wrote:
> On Sat, 7 Oct 2000, Dan Harkins wrote:
> > ...Does the Working Group want to keep
> > Aggressive Mode? Is Aggressive Mode "standards bloat" or
> > is it a necessary addition to do what Ben wants to do?
>
> The FreeS/WAN project thinks it's bloat and says get rid of it. We will
> not implement it, ever.
>
> As others have noted, anything you can do with shared secrets, you can do
> better with manually-installed public keys.
Actually, I've come to think (during the course of the day) that this is not
actually true. With pre-shared keys, you have ONE SINGLE key. This means that
I can create a special install-package for my employees, that they can
install on their computer, that contains this shared-key. (Yes I know it's
insecure.. bear with me).
With pure public keys, you need TWO of them. Granted, I can provision every
box with the same private key, which would make it equivalent to the above
group-pre-shared key scenarion. But in reality you need two public keys,
where before you had a single pre-shared key.
Ok.. I'm not comparing apples-to-apples... So shoot me. For some reason a
group-rsa-private-key bothers me even MORE than a group-pre-shared key,
although that's rather irrational.
Is free-swan planning or at least thinking about implementing hybrid mode?
Then you could provision every peer with a central gateway's public key at
installation time, and use one-time passwords for authentication... The
alternative is a group-rsa-key, and xauth. Shudder. Or CRACK?
jan
> Now that a certain patent has
> died, we're moving to RSA signatures as our normal authentication method,
> with shared secrets not actually de-supported... at least, not yet... but
> moved to the "esoteric specialized topics" category already occupied by
> things like manual keying. This removes our last vestige of interest in
> Aggressive Mode.
>
> Henry Spencer
> henry@spsystems.net
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: