[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XKMS and NIH RE: Simplifying IKE

To: "'Stephen Kent'" <kent@bbn.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: XKMS and NIH RE: Simplifying IKE
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Wed, 15 Aug 2001 07:59:57 -0700
Cc: "'Steve.Robinson@psti.com'" <Steve.Robinson@psti.com>, Sandy Harris <sandy@storm.ca>, ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


Steve,

	You entirely manage to miss the point. You agree that part of the
complexity of IPSEC is that it is required to interface to every PKI in the
universe for political reasons. Then you make the statesmanlike suggestion
that the world standardize on the specification of the working group you
have been chairing. It may well make good technical sense. Perhaps you would
like to lend your support to Neil Kinnock's proposal to make English the
sole administrative language of the European Union whil you are at it?

	As for 'advertising' the work product of another open standards
working group that is appropriate to a working group topic, has substantial
commitments from the major PKI vendors, major application vendors and major
customers - I will do it at every opportunity thank you very much, whether
the specification is one of my own invention or of somebody else.

	It was the first time that I had raised XKMS on the IPSEC list. It
was not off topic, it was in fact entirely on topic. I don't think that the
majority of the IETF would agree that Not Invented Here is a good policy.
Plenty of IETF working groups make use of the work product of other working
groups outside the IETF, BEEP makes use of a W3C specification, PKIX makes
use of an ITU standard.

	Perhaps you could elaborate the reasons why you do not consider XKMS
to be a suitable topic for consideration by IPSEC?

	XKMS is designed to allow simplification of client implementation of
PKI. The topic on the table is simplification of IPSEC.

		Phill


Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Tuesday, August 14, 2001 7:15 PM
> To: Hallam-Baker, Phillip
> Cc: 'Steve.Robinson@psti.com'; Sandy Harris; ipsec@lists.tislabs.com;
> owner-ipsec@lists.tislabs.com
> Subject: RE: Simplifying IKE
> 
> 
> At 7:41 AM -0700 8/8/01, Hallam-Baker, Phillip wrote:
> >  > STEVE:  I agree with you on this, but in practice, unless a
> >>  PKI standard is
> >>  settled on, my boss is not going to approve of me implementing a
> >>  proprietary solution unless a consensus is reached in the
> >>  IPsec community
> >>  first.  My gut feeling is that it isn't gonna happen unless
> >>  the work at the
> >>  NIST on PKI suddenly becomes accepted as a standard.
> >
> >Why not simply plug into XKMS?
> >
> >All IPSEC cares about is the delivery of authenticated, validated
> >keys. It should not need to know if the PKI is based on X509/PKIX,
> >PGP, SPKI or YAPKI.
> >
> IPsec cares about IDs bound to keys used for authentication. to the 
> extent that different PKI technologies support different name forms, 
> IPsec needs to be aware of this, as it affects the types of symbolic 
> names we support in the SPD.
> 
> A recommendation for simplification I have not yet seen is to reduce 
> the range of cert types that IKE supports.  Everyone who does certs 
> probably supports X.509. Few products support PGP, SPKI, or DNSSEC, 
> despite these being mentioned in IKE. this would seem like an easy 
> simplification.
> 
> Steve
> 
> P.S.  Please, Phil, no more XKMS advertisements here, OK?
>

Phillip

Follow-Ups:

Re: XKMS and NIH RE: Simplifying IKE

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Require AH?
Next by Date: RE: IKE must have no Heirs
Prev by thread: key derived SPI?
Next by thread: Re: XKMS and NIH RE: Simplifying IKE
Index(es):
- Main
- Thread