[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Design] Re: opportunistic encryption deployment problems
Oh.. you're right. I stand corrected. Duh...
jan
On Tue, 7 Aug 2001, Henry Spencer wrote:
> On Tue, 7 Aug 2001, Jan Vilhuber wrote:
> > [moving to the design list, instead of the ipsec list, as this is a general
> > freeswan design question]
>
> Uh, no, it's a *protocol* design issue. We hope that FreeS/WAN will not
> be the only implementation of opportunistic encryption, which is why we
> submitted it as an IETF draft, and why discussion probably should be cc'ed
> to the ipsec list.
>
> > > using an IP address it does not "own". The answer is that (a) it must
> > > originate the call, since there is no way to call in to it, (b) it must
> > > supply enough information via ID payloads
> >
> > But this is impossible in main-mode (without fixing it as per improveike
> > draft)...
>
> How so? The difficulty in main mode is with shared-secret authentication.
> Opportunistic uses RSA-signature authentication, which doesn't have the
> same design botch. ID payloads work just fine with signature
> authentication.
>
> Henry Spencer
> henry@spsystems.net
>
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: