[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS

To: david chen <ietf_davidchen@hotmail.com>
Subject: Re: SOI: identity protection and DOS
From: Henry Spencer <henry@spsystems.net>
Date: Wed, 28 Nov 2001 08:20:51 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <OE17z6KAuuqjwqSogEZ00011aa9@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 28 Nov 2001, david chen wrote:
> I try to say that
> if self-signed certs depend on the out-of-band 'secured channel' that
> is used the same as pre-shared key for its key management,
> then why not just use pre-shared key? and save the trouble for
> public/private keys.
> Don't see the advantage of using 'self-cert' over 'pre-shared' in this case.

At least three advantages:

1) Self-certs need not be kept secret to be usable.  So the channel used
to verify them must be authenticated but need not be private, they need
not be stored in secure storage, etc.

2) No requirement to have a separate self-cert for each connection; one
per host suffices.

3) Uses much the same mechanism as PKI certificates, so there is no need
to have a different variant of the protocol (different analysis and
verification, different code, etc.) for them. 

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: SOI: identity protection and DOS

From: "david chen" <ietf_davidchen@hotmail.com>

References:

Re: SOI: identity protection and DOS

From: "david chen" <ietf_davidchen@hotmail.com>

Prev by Date: Re: SOI: identity protection and DOS
Next by Date: Re: SOI: identity protection and DOS
Prev by thread: Re: SOI: identity protection and DOS
Next by thread: Re: SOI: identity protection and DOS
Index(es):
- Main
- Thread