[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
Ari Huttunen writes:
> Derek Atkins wrote:
> > Do you mean pre-shared secret-key or pre-shared public-key? I happen
> > to agree with Steve that pre-shared public-key is sufficient (and
> > probably superior) to pre-shared secret-key authentication. In other
> > words, we pre-share RSA Public Keys. No certificates are necessarily
> > required. As was pointed out, see SSH for an example of how this
> > works.
>
> I agree that pre-shared public key is sufficient, and argue that either
> one is necessary for at least easy testing. There's also one benefit
> to this not already mentioned (that I noticed), i.e. that
> "foobar" or "you'll never guess" are not public keys.
It's probably worth tossing into the debate that
KINK provides the ability to do third party as
well as peer-peer[*] symmetric key SA
establishment, which hopefully meets all of the
other requirements. I'm sort of neutral about
whether SOI should provide the ability to use
pre-shared keys again, but unlike the first
go-round of IKE, we do have a viable alternative
if you like pre-shared keys.
Mike
[*] All that is needed to construct a peer to peer
protocol out of KINK is to implement AS-REQ/TGS-REQ
on the KINK peer and camp on port 88.
References: