[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please kill preshared key.

To: "'sommerfeld@east.sun.com'" <sommerfeld@east.sun.com>, ipsec@lists.tislabs.com
Subject: RE: Please kill preshared key.
From: "Wang, Cliff" <CWang@smartpipes.com>
Date: Thu, 6 Dec 2001 21:16:49 -0000
Sender: owner-ipsec@lists.tislabs.com

We are not talking about adding something new. We are talking about whether
deleting or saving PSK from IKE. 

Taking awaying a working feature used by many existing customers may never
be a good idea, unless there is a severe security flaw. 


-----Original Message-----
From: Bill Sommerfeld [mailto:sommerfeld@east.sun.com] 
Sent: Thursday, December 06, 2001 1:48 PM
To: ipsec@lists.tislabs.com
Subject: Please kill preshared key.


Since there are people arguing to save preshared key, I just wanted to
reemphasize that: 

 0) it adds cryptographic complexity -- you essentially need a different
cryptographic protocol for PSK vs. signature keys.  Let's spend the cycles
of our cryptographers on more important stuff than this.

 1) it adds YET ONE MORE OPTION you need to test, one more knob you can
misconfigure.. more time for customers spent fumbling around trying to
figure out how to configure systems.

 2) equivalent functionality can be found in preconfigured public keys
and/or self-signed certificates.

There's no need for it, it adds complexity.  Kill it.

					- Bill

Prev by Date: Re: Son-of-IKE Performance
Next by Date: Re: Son-of-IKE Performance
Prev by thread: RE: Please kill preshared key.
Next by thread: RE: Please kill preshared key.
Index(es):
- Main
- Thread