[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SOI: preshared




There's an interesting question posed by Cheryl's
requirements draft about the scope of son-of-ike.
As Cheryl points out, IKE is popularly thought of
as a PKI authentication protocol even if the
reality is something else.

I think we're at an interesting cross roads here
because a SOI doesn't have to be a kitchen sink
protocol anymore since we've gained experience, as
well as having some other arrows in our quiver (cf
KINK). JFK positions itself as a PKI
authentication *only* protocol. KINK is quite
naturally useful for pre-shared keys, but requires
an active third party authentication box (KDC).

So here's the questions:

1) Should we deem peer-peer preshared keying bogus?
2) If not, should SOI inherently be a dual (triple...)
   authentication mechanism protocol?
3) If so, how do we bound the authentication
   mechanisms to keep IKE manageable?
4) If not, what fills the hole of peer-peer
   pre-shared keys? A different protocol?
   Extend KINK (many possible ways to do this)?

	  Mike


Follow-Ups: References: