[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Position statement on IKE development
I think certificate management (and distribution) within IKE is the
biggest problem of all. I want to talk to the host/printer/network
device at address 1.2.3.4. How do I get it's public key, and why do I
want to trust it?
PFS is _EASY_ compared to that. An ephemeral DH exchange solves PFS.
But how do I authenticate? Better, how do I authenticate on a GLOBAL
scale? Now _THAT_ is the hard problem (IMHO).
-derek
"Hallam-Baker, Phillip" <pbaker@verisign.com> writes:
> I have a different set of concerns, IPSEC is not being used in cases where
> it should have been the answer.
>
> In particular the IEEE 802.11b WEP fiasco could have been averted if the
> designers had not been discouraged by the complexity of IPSEC.
>
> Another issue is why can't I buy a printer that is IPSEC enabled?
>
> I believe that the biggest problem with IPSEC is that the search for a
> certain view of perfect security has lead to a standard that many have
> bypassed altogether as too demanding.
>
> Perfect Forward Secrecy is great, but I would rather have a secure means of
> connecting to my printer than the possibility of a perfectly secure means in
> ten years time.
>
> End to end security is a good thing, but in many applications the overhead
> of negotiating trust relationships end to end is just too high. How am I
> expected to configure the end to end security on an embedded device with no
> console. Oh I use a web browser to connect to it, yes very end to end.
>
> Phill
>
>
>
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
>
>
> > -----Original Message-----
> > From: Marcus Leech [mailto:mleech@nortelnetworks.com]
> > Sent: Thursday, August 02, 2001 9:34 PM
> > To: msec@securemulticast.org; ietf-ipsra@vpnc.org;
> > ipsec-policy@vpnc.org; ipsec@lists.tislabs.com
> > Subject: Position statement on IKE development
> >
> >
> > I'm sending the attached ASCII TEXT document on behalf of myself, Jeff
> > Schiller, and
> > Steve Bellovin, to clarify our position with respect to IKE
> > development. It is our hope
> > that it will clarify, to some extent, some fuzziness in
> > this area that
> > has evolved over
> > the last year or so.
> >
>
>
> ------_=_NextPart_000_01C11C5C.14D9EDC0
> Content-Type: application/octet-stream;
> name="Phillip Hallam-Baker (E-mail).vcf"
> Content-Disposition: attachment;
> filename="Phillip Hallam-Baker (E-mail).vcf"
>
> BEGIN:VCARD
> VERSION:2.1
> N:Hallam-Baker;Phillip
> FN:Phillip Hallam-Baker (E-mail)
> ORG:VeriSign
> TITLE:Principal Consultant
> TEL;WORK;VOICE:(781) 245-6996 x227
> EMAIL;PREF;INTERNET:hallam@verisign.com
> REV:20010214T163732Z
> END:VCARD
>
> ------_=_NextPart_000_01C11C5C.14D9EDC0--
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: