RE: Please save the pre-shared key mode

[Jan Vilhuber <vilhuber@cisco.com>]

On Fri, 7 Dec 2001, Wang, Cliff wrote:

> The bottom line is although smart UI can help user to simplify his task, it
> doesn't completely solve the complexity issue we are talking about.

What complexity issue? As has been pointed out over and over (and over)
again: You don't need a complex PKI to do public keys. The rest is
implementation details, and pre-shared self-signed certificates are no more
complex than Pre-shared symmetric keys.

jan



> Otherwise there is no need for us to discuss this here anymore.   
> 
> -----Original Message-----
> From: Jan Vilhuber [mailto:vilhuber@cisco.com] 
> Sent: Friday, December 07, 2001 3:44 PM
> To: Wang, Cliff
> Cc: ipsec@lists.tislabs.com
> Subject: RE: Please save the pre-shared key mode
> 
> 
> On Fri, 7 Dec 2001, Wang, Cliff wrote:
> 
> > 
> > This thread is talking about saving the pre-shared key mode, instead 
> > of saying nothing else works.
> > 
> > I am not sure how you can hide a whole PKI system away under smart UI?
> 
> I'm not about to design your products for you, but several alternatives have
> been proposed, ranging from using self-signed pre-shared certs and using
> key-finger-prints in lieu of a pre-shared key. The rest is up to you.
> 
> > I am also not sure how smart UI can solve the issue that on Cisco low 
> > end box PKI based IPsec performs much slower in comparison to PSK 
> > based IPsec.
> > 
> The last point seems completely off topic. I can't run linux on my
> wristwatch either. What's the point? New things may only work on newer
> boxes.
> 
> jan
> 
> 
> 
> 
> > 
> > -----Original Message-----
> > From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> > Sent: Friday, December 07, 2001 2:58 PM
> > To: Wang, Cliff
> > Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
> > Subject: RE: Please save the pre-shared key mode
> > 
> > 
> > On Fri, 7 Dec 2001, Wang, Cliff wrote:
> > 
> > > >From the operation point of view, PSK is quick and easy to set up
> > > >service.
> > > It works and customers are happy. It is more real than a myth.
> > > 
> > The myth is that nothing else works. PSK is a behind-the-scenes 
> > abstraction, that good programmers can hide from users altogether. A 
> > good UI can hide any other mechanism as well and make it as easy to 
> > configure.
> > 
> > jan
> > 
> > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> > > Sent: Thursday, December 06, 2001 6:39 PM
> > > To: Wang, Cliff
> > > Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
> > > Subject: RE: Please save the pre-shared key mode
> > > 
> > > > On the
> > > > other hand, PSK based IKE and PKI based IKE has been the main way
> people
> > > > deploying VPN. Under that context, PSK is simpler to run than PKI.   
> > > > 
> > > I think that's the myth Dan was talking about.
> > > 
> > > jan
> > > 
> > > 
> > > 
> > > > 
> > > > -----Original Message-----
> > > > From: Dan McDonald [mailto:danmcd@east.sun.com]
> > > > Sent: Thursday, December 06, 2001 1:28 PM
> > > > To: Wang, Cliff
> > > > Cc: ipsec@lists.tislabs.com
> > > > Subject: Re: Please save the pre-shared key mode
> > > > 
> > > > 
> > > > > 1) Simplicity
> > > > > Pre-shared key mode is simpler to support by eliminating the
> > > > > requirement of supporting complex PKI.
> > > > 
> > > > It's a myth that public-key implies you MUST have a PKI.
> > > > 
> > > > Self-signed certs combined with explicit out-of-band trust models 
> > > > is just a non-cumbersome as pre-shared keys, IMHO, and they also 
> > > > offer IP-address-portability.  (Henry Spencer, correct me if I'm 
> > > > wrong, but FreeSWAN has a self-signed cert model that works, 
> > > > right?)
> > > > 
> > > > If we keep pre-shared, let's have a scalable way of identifying
> > > > them.
> > > > In a multi-homed world (esp. IPv6), pre-shared keys indexed by address
> 
> > > > pairs is as much hassle as PKI registration (it's just less snake-oil 
> > > > than most PKIs ;).
> > > > 
> > > > For testing, I run server machines with self-signed certs.  For
> > > > small
> > > > (10-100) numbers of clients, it works out _quite_ nicely, and w/o any 
> > > > of the PKI cruft.  Peer-to-peer explosions is about the only case 
> > > > where PKI is really needed, and pre-shared won't help you any there 
> > > > either.  It's just a matter of running certificate-generation, e-mail,
> 
> > > > and verifying hashes out-of-band.
> > > > 
> > > > I'm not totally against nuking pre-shared.  It's not, however, the 
> > > > panacea of simplicity many think it is, and simplicity arguments 
> > > > don't hold water.
> > > > 
> > > > Dan
> > > > 
> > > 
> > >  --
> > > Jan Vilhuber
> vilhuber@cisco.com
> > > Cisco Systems, San Jose                                     (408)
> 527-0847
> > > 
> > 
> >  --
> > Jan Vilhuber                                            vilhuber@cisco.com
> > Cisco Systems, San Jose                                     (408) 527-0847
> > 
> 
>  --
> Jan Vilhuber                                            vilhuber@cisco.com
> Cisco Systems, San Jose                                     (408) 527-0847
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

---

References:

• RE: Please save the pre-shared key mode
• From: "Wang, Cliff" <CWang@smartpipes.com>

---

• Prev by Date: RE: Please save the pre-shared key mode
• Next by Date: Re: Son-of-IKE Performance
• Prev by thread: RE: Please save the pre-shared key mode
• Next by thread: RE: Please save the pre-shared key mode
• Index(es):
  • Main
  • Thread