RE: SOI: identity protection and DOS

[Paul Koning <ni1d@arrl.net>]

>>>>> "Andrew" == Andrew Krywaniuk <andrew.krywaniuk@alcatel.com> writes:
 >> ...
 >> Not true. You only need a authenticated transport for the public
 >> key hashes: you don't have to keep them private.

 Andrew> I thought about this, but the distinction is mostly moot
 Andrew> because there aren't that many circumstances where you can
 Andrew> get authentication without secrecy. Maybe if you phoned the
 Andrew> person and you thought the phone might be tapped but you
 Andrew> could recognize their voice... Other popular key distribution
 Andrew> techniques, such as e-mail, finger, websites, voice-mail from
 Andrew> an administrator are unlikely to have that property where
 Andrew> they are (meaningfully) authenticated but not secret.

You left out a well established public key distribution scheme that
fits the description: the PGP Web of Trust.

There is even a spec for the use of PGP keys with IKE.  I remember at
least one implementation (don't know how many more there are).  If
people are interested in a scheme that doesn't require the out of band
channel to have privacy (as shared secrets do), allows for self-signed
keys but isn't limited to them, and doesn't have the insistence on
centralization that the X.509 style CA schemes have, wider
implementation of that spec would be an option to consider.

       paul

---

Follow-Ups:

• RE: SOI: identity protection and DOS
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

• RE: SOI: identity protection and DOS
• From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
• RE: SOI: identity protection and DOS
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

---

• Prev by Date: Re: SOI: identity protection and DOS
• Next by Date: Gee, shared secrets suck (was: Re: SOI: identity protection and DOS)
• Prev by thread: Re: SOI: identity protection and DOS
• Next by thread: RE: SOI: identity protection and DOS
• Index(es):
  • Main
  • Thread