[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Design] Re: opportunistic encryption deployment problems

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: [Design] Re: opportunistic encryption deployment problems
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 7 Aug 2001 22:47:10 -0400 (EDT)
cc: IP Security List <ipsec@lists.tislabs.com>, Design@lists.freeswan.org
In-Reply-To: <Pine.LNX.4.21.0108071515330.820-100000@janpc-home.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 7 Aug 2001, Jan Vilhuber wrote:
> [moving to the design list, instead of the ipsec list, as this is a general
> freeswan design question]

Uh, no, it's a *protocol* design issue.  We hope that FreeS/WAN will not
be the only implementation of opportunistic encryption, which is why we
submitted it as an IETF draft, and why discussion probably should be cc'ed
to the ipsec list. 

> > using an IP address it does not "own".  The answer is that (a) it must
> > originate the call, since there is no way to call in to it, (b) it must
> > supply enough information via ID payloads
> 
> But this is impossible in main-mode (without fixing it as per improveike
> draft)...

How so?  The difficulty in main mode is with shared-secret authentication. 
Opportunistic uses RSA-signature authentication, which doesn't have the
same design botch.  ID payloads work just fine with signature
authentication. 

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: [Design] Re: opportunistic encryption deployment problems

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: Simplifying IKE
Next by Date: Re: [Design] Re: opportunistic encryption deployment problems
Prev by thread: Re: Simplifying IKE
Next by thread: Re: [Design] Re: opportunistic encryption deployment problems
Index(es):
- Main
- Thread