[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS




I think that this observation by Sara is important:

>
> An insecure certificates deployment will be much more harmful than a
> *correct* and useful pre-shared key authentication mode."

For those that cite SSH as an example: much of the success of SSL 
and SSH is based on the permissiveness with which people USE public 
keys and certificates in these protocols (who reads certificate-related 
pop-up warnings in https?  how many consciously check a PK in a first 
SSH handshake?)

We want IPsec to succeed but not to "imitate" the above SSL and SSH
usage weaknesses.


Hugo

>
>
On Mon, 26 Nov 2001, Sara Bitan wrote:
>
> Pre-shared keys do not require extra messages.
> The P-SIGMA  protocol requires just three messages, like SIGMA.
>
> I think pre-shared keys authentication is a requirement, and it doesn't
> necessary imply huge overhead. There are several good (and popular)
> protocols out there that supply shared keys to two parties.
> I know that in the real world certificates are not as popular and widely
> used as we would like them to be. An insecure certificates deployment
will
> be much more harmful that a *correct* and useful pre-shared key
> authentication mode.
>
>  Sara






Follow-Ups: References: