[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Please save the pre-shared key mode
On Thu, 6 Dec 2001, Dan McDonald wrote:
> It's a myth that public-key implies you MUST have a PKI.
>
> Self-signed certs combined with explicit out-of-band trust models is just a
> non-cumbersome as pre-shared keys, IMHO, and they also offer
> IP-address-portability. (Henry Spencer, correct me if I'm wrong, but
> FreeSWAN has a self-signed cert model that works, right?)
Simpler even than that: we just move RSA keys around, in RFC 2537 format.
No certificates involved at all. Operationally it is essentially the same
as self-signed certs, but the implementation is simpler and has less
overhead. The only snag is that most other implementations can't do
public-key-signature authentication at all without dragging in all the
certificate goo.
Henry Spencer
henry@spsystems.net
References: