Re: SOI: identity protection and DOS

["Steven M. Bellovin" <smb@research.att.com>]

In message <Pine.BSI.3.91.1011128081445.25421C-100000@spsystems.net>, Henry Spe
ncer writes:
>On Wed, 28 Nov 2001, david chen wrote:
>> I try to say that
>> if self-signed certs depend on the out-of-band 'secured channel' that
>> is used the same as pre-shared key for its key management,
>> then why not just use pre-shared key? and save the trouble for
>> public/private keys.
>> Don't see the advantage of using 'self-cert' over 'pre-shared' in this case.
>
>At least three advantages:
>
>1) Self-certs need not be kept secret to be usable.  So the channel used
>to verify them must be authenticated but need not be private, they need
>not be stored in secure storage, etc.
>
>2) No requirement to have a separate self-cert for each connection; one
>per host suffices.
>
>3) Uses much the same mechanism as PKI certificates, so there is no need
>to have a different variant of the protocol (different analysis and
>verification, different code, etc.) for them. 


4) We don't need a key exchange protocol capable of coping with both 
certificates and shared secrets.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com

---

Follow-Ups:

• Re: SOI: identity protection and DOS
• From: Henry Spencer <henry@spsystems.net>
• Re: SOI: identity protection and DOS
• From: "david chen" <ietf_davidchen@hotmail.com>

---

• Prev by Date: Re: SOI: identity protection and DOS
• Next by Date: Re: SOI: identity protection and DOS
• Prev by thread: Re: SOI: identity protection and DOS
• Next by thread: Re: SOI: identity protection and DOS
• Index(es):
  • Main
  • Thread