RE: Simplifying IKE

[Stephen Kent <kent@bbn.com>]

At 7:41 AM -0700 8/8/01, Hallam-Baker, Phillip wrote:
>  > STEVE:  I agree with you on this, but in practice, unless a
>>  PKI standard is
>>  settled on, my boss is not going to approve of me implementing a
>>  proprietary solution unless a consensus is reached in the
>>  IPsec community
>>  first.  My gut feeling is that it isn't gonna happen unless
>>  the work at the
>>  NIST on PKI suddenly becomes accepted as a standard.
>
>Why not simply plug into XKMS?
>
>All IPSEC cares about is the delivery of authenticated, validated
>keys. It should not need to know if the PKI is based on X509/PKIX,
>PGP, SPKI or YAPKI.
>
IPsec cares about IDs bound to keys used for authentication. to the 
extent that different PKI technologies support different name forms, 
IPsec needs to be aware of this, as it affects the types of symbolic 
names we support in the SPD.

A recommendation for simplification I have not yet seen is to reduce 
the range of cert types that IKE supports.  Everyone who does certs 
probably supports X.509. Few products support PGP, SPKI, or DNSSEC, 
despite these being mentioned in IKE. this would seem like an easy 
simplification.

Steve

P.S.  Please, Phil, no more XKMS advertisements here, OK?

---

References:

• RE: Simplifying IKE
• From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

---

• Prev by Date: RE: Simplifying IKE
• Next by Date: Re: Traffic handling and key management "divide and coquer"
• Prev by thread: RE: Simplifying IKE
• Next by thread: RE: Simplifying IKE
• Index(es):
  • Main
  • Thread