[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Son-of-IKE Selection Criteria?



I think before we start discussing selection we should look to see what
other alternatives are on offer, and whether the discussion leads to better
choices emerging.

I really don't think we should go down to the bit level yet. Syntax is the
hobgoblin of tiny minds. Lets agree on the principles first.

In particular the improvements in JFK are largely the result of discovering
that certain 'requirements' to be dictated by cryptographic dogma rather
than the real world. In the real world we don't need a negotiation algorithm
to support several hundred possible combinations of algorithms because there
is in general only one 'prefered set' at a time and it typically only
changes every 5 years or so. 

Equally it may turn out that certain 'requirements' are actually
unreachable. concealment of identity for example. My preferred means of
dealing with that is to 

1. Issue every device an IP identity credential bound to its IP address.
	This is the ONLY form of identity that can provably prevent any 
	additional disclosure of identity in an IP environment since your
	IP address is known in any case.

2. Perform two sequential key agreements, ]
	first an IP address based agreement
	second an identity based agreement encrypted under the key of (1).

Unfortunately I did not have time between the publication of JFK to reformat
XKASS as an internet draft and submitt in time for the IETF meeting cut off.
the paper has been available for several months now however and for those of
you who do not like pdf a version in internet draft format will shortly be
available, albeit with the inevitable readbility problems of plaintext
documents describing mathematical algorithms.

If people are interested the paper is at:

http://www.xmltrustcenter.org/research/xkass/index.htm

The intended application is XML Web services, however readers will note a
distinct resemblance to JFK.


		Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


Phillip


Follow-Ups: