[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please save the pre-shared key mode

To: Dan McDonald <danmcd@east.sun.com>
Subject: Re: Please save the pre-shared key mode
From: Henry Spencer <henry@spsystems.net>
Date: Fri, 7 Dec 2001 16:37:47 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <200112061827.fB6IRfrX007286@kebe.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 6 Dec 2001, Dan McDonald wrote:
> It's a myth that public-key implies you MUST have a PKI.
> 
> Self-signed certs combined with explicit out-of-band trust models is just a
> non-cumbersome as pre-shared keys, IMHO, and they also offer
> IP-address-portability.  (Henry Spencer, correct me if I'm wrong, but
> FreeSWAN has a self-signed cert model that works, right?)

Simpler even than that:  we just move RSA keys around, in RFC 2537 format. 
No certificates involved at all.  Operationally it is essentially the same
as self-signed certs, but the implementation is simpler and has less
overhead.  The only snag is that most other implementations can't do
public-key-signature authentication at all without dragging in all the
certificate goo. 

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

Re: Please save the pre-shared key mode

From: Dan McDonald <danmcd@east.sun.com>

Prev by Date: RE: Please save the pre-shared key mode
Next by Date: RE: Please save the pre-shared key mode
Prev by thread: Re: Please save the pre-shared key mode
Next by thread: RE: Please save the pre-shared key mode
Index(es):
- Main
- Thread