[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reliable delete notifies
On Mon, 9 Oct 2000, Jan Vilhuber wrote:
> With pure public keys, you need TWO of them. Granted, I can provision every
> box with the same private key, which would make it equivalent to the above
> group-pre-shared key scenarion. But in reality you need two public keys,
> where before you had a single pre-shared key.
Consider them two halves of the same shared secret. There's no fundamental
difference...
> Is free-swan planning or at least thinking about implementing hybrid mode?
Not at present. Faced with a choice of methods, we have a strong
preference for picking one good general-purpose method and using it
throughout, and we've chosen RSA signatures as the best general-purpose
authentication method. (We'd like to make it easier for our contributors
to contribute other authentication methods, but we have no plans to do any
others ourselves.)
> Then you could provision every peer with a central gateway's public key at
> installation time, and use one-time passwords for authentication...
Actually you don't even need to provision the peers with the gateway's
public key, if you trust DNS lookups -- you can get it from DNS. But we
have no plans to support any password scheme... although it wouldn't be
hard to do one-time RSA keys by adding a few tweaks to scripts. :-)
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: