Re: Reliable delete notifies

[Derek Atkins <warlord@mit.edu>]

Then change your PKI vendor or, shudder, implement RSA yourself in
your IPSec software.  Now that RSA is free, you can do that.  If MIT
freshmen can implement RSA, I'm sure your IPSec engineers can do it.

As I said, you DONT need a full PKI.  You can treat RSA keys just like
you treat secret keys.  Instead of passing a single string of bytes,
you pass, in essense, two strings of bytes (N and e :)

You DO NOT NEED signed certificates for this functionality.  If your
PKI vendor doesn't support that, route around them :) Look at
FreeS/WAN for a great way to do it (and no, I'm NOT on the freeswan
team -- I'm just a user).

-derek

Michael Richardson <mcr@solidum.com> writes:

> >>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
>     Derek> Personally, I don't see what's so hard about using e.g. RSA for
>     Derek> authentication.  It is no harder to setup an RSA-based
>     Derek> infrastructure than it is to create a shared-secret
>     Derek> infrastructure.  Indeed, I think it is easier.
> 
>     Derek> You don't need a full-blown PKI for an IPSec VPN.  All you need to
> 
>   You do if your vendor bought a semi-closed PKI solution from a PKI vendor!
> 
>   That is where this entire argument comes from --- the business models
> of the PKI vendors. 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

---

References:

• Re: Reliable delete notifies
• From: Michael Richardson <mcr@solidum.com>

---

• Prev by Date: Re: Reliable delete notifies
• Next by Date: Re: FW: Negotiation for Ipsec SA
• Prev by thread: Re: Reliable delete notifies
• Next by thread: Re: Reliable delete notifies
• Index(es):
  • Main
  • Thread