[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please save the pre-shared key mode



While I agree with you that self-signed cert plus out-of-band trust models
may be an alternative way to deliver IKE credentials, I would like to see it
in a more standardized format and a wider acceptance by the industry. On the
other hand, PSK based IKE and PKI based IKE has been the main way people
deploying VPN. Under that context, PSK is simpler to run than PKI.   


-----Original Message-----
From: Dan McDonald [mailto:danmcd@east.sun.com] 
Sent: Thursday, December 06, 2001 1:28 PM
To: Wang, Cliff
Cc: ipsec@lists.tislabs.com
Subject: Re: Please save the pre-shared key mode


> 1) Simplicity
> Pre-shared key mode is simpler to support by eliminating the 
> requirement of supporting complex PKI.

It's a myth that public-key implies you MUST have a PKI.

Self-signed certs combined with explicit out-of-band trust models is just a
non-cumbersome as pre-shared keys, IMHO, and they also offer
IP-address-portability.  (Henry Spencer, correct me if I'm wrong, but
FreeSWAN has a self-signed cert model that works, right?)

If we keep pre-shared, let's have a scalable way of identifying them.  In a
multi-homed world (esp. IPv6), pre-shared keys indexed by address pairs is
as much hassle as PKI registration (it's just less snake-oil than most PKIs
;).

For testing, I run server machines with self-signed certs.  For small
(10-100) numbers of clients, it works out _quite_ nicely, and w/o any of the
PKI cruft.  Peer-to-peer explosions is about the only case where PKI is
really needed, and pre-shared won't help you any there either.  It's just a
matter of running certificate-generation, e-mail, and verifying hashes
out-of-band.

I'm not totally against nuking pre-shared.  It's not, however, the panacea
of simplicity many think it is, and simplicity arguments don't hold water.

Dan


Follow-Ups: