Re: SOI: identity protection and DOS

["david chen" <ietf_davidchen@hotmail.com>]

I try to say that
if self-signed certs depend on the out-of-band 'secured channel' that
is used the same as pre-shared key for its key management,
then why not just use pre-shared key? and save the trouble for
public/private keys.

Don't see the advantage of using 'self-cert' over 'pre-shared' in this case.

--- David


----- Original Message -----
From: "Steven M. Bellovin" <smb@research.att.com>
To: "david chen" <ietf_davidchen@hotmail.com>
Cc: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>; <ipsec@lists.tislabs.com>
Sent: Tuesday, November 27, 2001 7:39 PM
Subject: Re: SOI: identity protection and DOS


> In message <OE20dgLXZ3lV3Rr4Ygc00005184@hotmail.com>, "david chen" writes:
> >The very reason to certify a public key is that
> > if the key is not 'public' enough than it is subject to MIM attack.
> >
> >Self-signed cert is subject to MIM attack unless...
> >then why we need public/private key.
>
> You misunderstand.  I'm suggesting that whatever secure channel could
> be used to share a symmetric key could be used to share a public key.
> If you can't trust that channel, you can't use pre-shared secrets,
> either.
>
> --Steve Bellovin, http://www.research.att.com/~smb
> Full text of "Firewalls" book now at http://www.wilyhacker.com
>
>
>

---

Follow-Ups:

• Re: SOI: identity protection and DOS
• From: Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
• Re: SOI: identity protection and DOS
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: SOI: identity protection and DOS
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: Re: LAST CALL: NAT TRAVERSAL DRAFTS
• Next by Date: Re: SOI: identity protection and DOS
• Prev by thread: Re: SOI: identity protection and DOS
• Next by thread: Re: SOI: identity protection and DOS
• Index(es):
  • Main
  • Thread