[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [MSEC] Re: multicast authentication using AH
So it might not be a no brainer to put digital signatures in ESP or AH.
At 02:46 PM 6/13/2001 -0600, Hilarie Orman wrote:
>Might also want to encode an ident somewhere.
GDOI does this in its Phase 2.
>Should there be an option for attaching a cert to the message,
>or would you see that being done solely by key mgmt (group mgr
>would multicast sender certs to the group)?
GDOI does this as part of its key management over pairwise and
multicast connections.
>Maintaining many certs does complicate SA mgmt, it's like having
>many keys/SA.
I don't think having multiple authorizations, such as to belong to
multiple groups, requires having a unique signature key for each
authorization.
Mark
>Hilarie
>
> >>> Dan McDonald <danmcd@East.Sun.COM> 06/13/01 08:14AM >>>
> > > > AH SHOULD HAVE supported authentication with digital signatures.
> > >
> > >There's nothing, I believe, about AH that prevents digital signatures from
> > >being used.
> > >
> > >The Authentication Data area can be made up to 1016 bytes (just shy of
> > >8kbits) per 2402. That should be plenty of room for a digital signature.
> > >
> > >Dan
> >
> > How is this signalled?
>
>It's part of the IPsec Security Association data. Per 2401, an SA is indexed
>by the tuple <AH, SPI, IP destination address>. When you add the appropriate
>SA, you get all sorts of data, including the algorithm.
>
>All one would need to do is write a new "algorithm document" for using a
>digital signature with AH. It shouldn't be tough, and if I had cycles (HAH!)
>I could easily prototype one in Solaris.
>
>Dan