[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Son-of-IKE Selection Criteria?
As I said in the pre-amble, you don't want your design to be constrained by
what PKIX implementations achieve. XKMS is already deployed and is in
process of being standardized.
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227
> -----Original Message-----
> From: Dilkie, Lee [mailto:Lee_Dilkie@Mitel.COM]
> Sent: Friday, December 07, 2001 2:41 PM
> To: Hallam-Baker, Phillip; 'Derek Atkins'
> Cc: 'Walker, Jesse'; ipsec@lists.tislabs.com
> Subject: RE: Son-of-IKE Selection Criteria?
>
>
> I see no reason to revoke a certificate just because you
> re-issued due to a name change. There was no comprimise of
> the original private key, so why would you need to go through
> the expense of revoking a certificate?
>
> Lee Dilkie
>
> Mitel Networks
> 350 Legget Drive
> Kanata, ON, Canada
> K2K 2W7
>
> Phone: 1-613-592-5660
>
> "It wasn't easy to juggle a pregnant wife and a troubled
> child, but somehow I managed to fit in eight hours of TV a day."
> - Homer Simpson (from "The Simpsons")
>
>
> -----Original Message-----
> From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
> Sent: Friday, December 07, 2001 12:13 PM
> To: 'Derek Atkins'; Hallam-Baker, Phillip
> Cc: 'Walker, Jesse'; ipsec@lists.tislabs.com
> Subject: RE: Son-of-IKE Selection Criteria?
>
>
> First let us be clear about the different types of dynamic address. In
> practice very few addresses are genuinely 'dynamic'.
>
> Second, in this I will talk about 'certificates' since they
> are what the
> group are familliar with. But remember that this is simply a
> shorthand for
> 'binding of data to a private key' and there might be a
> scheme such as XKMS
> supporting the use.
>
> 1) The Address is actually static but is dynamically reallocated for
> operational reasons.
> E.G. most cable modem addresses which rarely change
> (unless excite
> goes bankrupt that week).
>
> Can issue a certificate bound to the IP address
>
> If the IP address changes, revoke & reissue (note,
> probably want to
> use XKMS rather than CRLs!)
>
> 2) The Address is dynamic being allocated each time from a fixed pool.
> E.G. dial up access
>
> Here we have a number of approaches,
>
> A) Generate a key / cert for each address in the pool.
> When the initiator attempts to connect to the responder with the
> client credential, the request is intercepted at the POP. The
> POP first
> performs a key agreement using the key bound to the IP
> address, then once
> the tunnel is created forwards the client request through the tunnel.
>
> B) Use disposable key / cert pairs.
> The initiator applies for a pool of key/cert pairs
> which are cached.
> These are discarded after a single use. The disposable
> key/cert pair may not
> even be certified by a trusted third party, it may be self signed.
>
> C) Issue a certificate that has a wild card in it
> E.G. 18.23.1.* (think binary mask)
>
>
> While the cost of such systems may appear high the
> concealment of identity
> is inherently an expensive process IF DONE WELL. If the
> concealment is poor
> then better not to bother at all.
>
> Phill
>
>
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
>
>
> > -----Original Message-----
> > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > Sent: Wednesday, December 05, 2001 3:33 PM
> > To: Hallam-Baker, Phillip
> > Cc: 'Walker, Jesse'; ipsec@lists.tislabs.com
> > Subject: Re: Son-of-IKE Selection Criteria?
> >
> >
> > Phill,
> >
> > "Hallam-Baker, Phillip" <pbaker@verisign.com> writes:
> >
> > > 1. Issue every device an IP identity credential bound to
> > its IP address.
> > > This is the ONLY form of identity that can provably prevent any
> > > additional disclosure of identity in an IP environment
> > since your
> > > IP address is known in any case.
> > >
> > > 2. Perform two sequential key agreements, ]
> > > first an IP address based agreement
> > > second an identity based agreement encrypted under the
> > key of (1).
> > >
> >
> > How would you cope with machines with dynamic IP address?
> >
> > -derek
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
> >
>
Phillip