[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
Agree,
However, the self-cert does not use PKInfrastructure to authenticate the
public key in the cert;
What is used to authenticate the public key is the same requirement as that
of pre-shared key.
The only difference is the self-cert (or any cert) does *not*
(it is still argued in this thread for id protection) requiring an encrypted
distribution channel.
In the point of 'id protection', the self-cert (or any cert) requires some
encryption
but not public key in the cert.
If 'id protection' is true,
we see the self-serve still require some form of encrypted secure channel
between peers.
--- David
----- Original Message -----
From: "Henry Spencer" <henry@spsystems.net>
To: "david chen" <ietf_davidchen@hotmail.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Wednesday, November 28, 2001 8:20 AM
Subject: Re: SOI: identity protection and DOS
> On Wed, 28 Nov 2001, david chen wrote:
> > I try to say that
> > if self-signed certs depend on the out-of-band 'secured channel' that
> > is used the same as pre-shared key for its key management,
> > then why not just use pre-shared key? and save the trouble for
> > public/private keys.
> > Don't see the advantage of using 'self-cert' over 'pre-shared' in this
case.
>
> At least three advantages:
>
> 1) Self-certs need not be kept secret to be usable. So the channel used
> to verify them must be authenticated but need not be private, they need
> not be stored in secure storage, etc.
>
> 2) No requirement to have a separate self-cert for each connection; one
> per host suffices.
>
> 3) Uses much the same mechanism as PKI certificates, so there is no need
> to have a different variant of the protocol (different analysis and
> verification, different code, etc.) for them.
>
> Henry Spencer
> henry@spsystems.net
>
>
Follow-Ups:
References: