[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please save the pre-shared key mode

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: Please save the pre-shared key mode
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Thu, 06 Dec 2001 21:16:15 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <Pine.LNX.4.21.0112061533140.18937-100000@janpc-home.cisco.com>, Jan
 Vilhuber writes:

>> 
>> Till PKI fully interworks with IPsec devices, only then should we decide
>> whether to drop PSK or not.
>> 
>There are multiple ways of rolling out a pki, PKI, or PKi (yes, they are all
>different ;). They don't have to be PKIX-complex (is that a superset of
>NP-complete?). You can do it MUCH simpler, and still secure, and not need
>pre-shared symmetric keys. Use a pre-shared self-signed certificate, or
>pre-share the md5-signature of the key, and send it SSH style.

Obviously, I strongly agree with that.  And the next person who claims 
that one needs a PKI to use public keys will have to stay late after 
the working group meeting and clean up any pixels that were spilled 
onto the floor...

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com

Prev by Date: RE: Please save the pre-shared key mode
Next by Date: Re: Son-of-IKE Performance
Prev by thread: RE: Please save the pre-shared key mode
Next by thread: RE: Please save the pre-shared key mode
Index(es):
- Main
- Thread