[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: preshared
Sure. Same considerations apply though.
Mike
Paul Hoffman / VPNC writes:
> At 11:45 AM -0800 11/19/01, Michael Thomas wrote:
> >The consequence of using naked public keys in lieu
> >of symmetric keys is that you incur the cost of
> >both a DH and a RSA operation. You could
> >conceivably get rid of the DH if you don't care
> >about identity, but for preshared keys it seems
> >questionable why you'd want to do _either_.
>
> It doesn't have to be a bare public key. A self-signed cert has other
> signed attributes in it, such as the key validity date and an
> identity. The recipient simply needs to pull the public key out of
> the cert to check that key against its set of trusted public keys.
> (One doesn't need to trust this as a root cert: it is easy to make a
> policy of "if I get a self-signed cert as an identifier, I won't do
> any chaining, even if the cert says chaining is OK").
>
> Using self-signed certs is the method that JFK currently uses to
> allow simple trust between two parties without needing a PKI. There
> is no shared-secret mode.
>
> --Paul Hoffman, Director
> --VPN Consortium
Follow-Ups:
References: