[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Position statement on IKE development

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: Re: Position statement on IKE development
From: Derek Atkins <warlord@mit.edu>
Date: 03 Aug 2001 17:18:11 -0400
Cc: "'Marcus Leech'" <mleech@nortelnetworks.com>, msec@securemulticast.org, ietf-ipsra@vpnc.org, ipsec-policy@vpnc.org, ipsec@lists.tislabs.com
In-Reply-To: "Hallam-Baker, Phillip"'s message of "Fri, 3 Aug 2001 13:37:15 -0700"
References: <2F3EC696EAEED311BB2D009027C3F4F40154CA41@vhqpostal.verisign.com>
Sender: owner-ipsec@lists.tislabs.com

I think certificate management (and distribution) within IKE is the
biggest problem of all.  I want to talk to the host/printer/network
device at address 1.2.3.4.  How do I get it's public key, and why do I
want to trust it?

PFS is _EASY_ compared to that.  An ephemeral DH exchange solves PFS.
But how do I authenticate?  Better, how do I authenticate on a GLOBAL
scale?  Now _THAT_ is the hard problem (IMHO).

-derek

"Hallam-Baker, Phillip" <pbaker@verisign.com> writes:

> I have a different set of concerns, IPSEC is not being used in cases where
> it should have been the answer.
> 
> In particular the IEEE 802.11b WEP fiasco could have been averted if the
> designers had not been discouraged by the complexity of IPSEC.
> 
> Another issue is why can't I buy a printer that is IPSEC enabled?
> 
> I believe that the biggest problem with IPSEC is that the search for a
> certain view of perfect security has lead to a standard that many have
> bypassed altogether as too demanding.
> 
> Perfect Forward Secrecy is great, but I would rather have a secure means of
> connecting to my printer than the possibility of a perfectly secure means in
> ten years time.
> 
> End to end security is a good thing, but in many applications the overhead
> of negotiating trust relationships end to end is just too high. How am I
> expected to configure the end to end security on an embedded device with no
> console. Oh I use a web browser to connect to it, yes very end to end.
> 
> 		Phill
> 
> 
> 
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
> 
> 
> > -----Original Message-----
> > From: Marcus Leech [mailto:mleech@nortelnetworks.com]
> > Sent: Thursday, August 02, 2001 9:34 PM
> > To: msec@securemulticast.org; ietf-ipsra@vpnc.org;
> > ipsec-policy@vpnc.org; ipsec@lists.tislabs.com
> > Subject: Position statement on IKE development
> > 
> > 
> > I'm sending the attached ASCII TEXT document on behalf of myself, Jeff
> > Schiller, and
> >   Steve Bellovin, to clarify our position with respect to IKE
> > development. It is our hope
> >   that it will clarify, to some extent, some fuzziness in 
> > this area that
> > has evolved over
> >   the last year or so.
> > 
> 
> 
> ------_=_NextPart_000_01C11C5C.14D9EDC0
> Content-Type: application/octet-stream;
> 	name="Phillip Hallam-Baker (E-mail).vcf"
> Content-Disposition: attachment;
> 	filename="Phillip Hallam-Baker (E-mail).vcf"
> 
> BEGIN:VCARD
> VERSION:2.1
> N:Hallam-Baker;Phillip
> FN:Phillip Hallam-Baker (E-mail)
> ORG:VeriSign
> TITLE:Principal Consultant
> TEL;WORK;VOICE:(781) 245-6996 x227
> EMAIL;PREF;INTERNET:hallam@verisign.com
> REV:20010214T163732Z
> END:VCARD
> 
> ------_=_NextPart_000_01C11C5C.14D9EDC0--

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: Position statement on IKE development

From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: Position statement on IKE development
Next by Date: Re: Position statement on IKE development
Prev by thread: RE: Position statement on IKE development
Next by thread: Re: Position statement on IKE development
Index(es):
- Main
- Thread