[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS



On 20 Nov 2001, Derek Atkins wrote:
[...]
> 
> I happen to agree with Radia's point that you should try to protect
> the initiator's identity before the responder's identity (which
> implies the responder should authenticate to the initiator first).
> Yes, this implies an extra round trip, but if the initiator wants to
> protect their identity they should have the choice to do so.
> 

No, it does NOT imply an extra round trip. It is the other way around.  
Protecting the initiator from active attacker takes just 3 messages.
Protecting the responder takes 4.
See the SIGMA draft
(http://www.ee.technion.ac.il/~hugo/draft-krawczyk-ipsec-ike-sigma-00.txt)

Hugo

> -derek
> 








Follow-Ups: References: