[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Please save the pre-shared key mode
The documentation is not about how to generate self-signed cert. The
document should cover the integration with IKEv2, security analysis, wire
format, .....
Without a clear cut IETF documentation, it might be difficult for vendors to
come to the same page and accept it.
-----Original Message-----
From: Henry Spencer [mailto:henry@spsystems.net]
Sent: Friday, December 07, 2001 4:46 PM
To: Wang, Cliff
Cc: 'Jan Vilhuber'; ipsec@lists.tislabs.com
Subject: RE: Please save the pre-shared key mode
On Fri, 7 Dec 2001, Wang, Cliff wrote:
>> The justification being offered for saving it is "nothing else works"
>> -- that is, that there is no other equally quick and simple way of
>> setting up a simple connection. This is false. There are non-PKI
>> approaches to public keys which are just as simple and easy as PSK.
>
> ...Where are these alternative approaches documented in the form of
> internet draft?
I don't know that anyone has ever thought to document them in I-Ds, since
mostly they are too simple to need much explaining. The hard part is
deprogramming people from the "public key implies PKI" religion.
Self-signed certs are a well-known concept, and fit naturally into existing
cert machinery.
RFC 3110 documents how to represent (in DNS) RSA public keys without
involving any form of certificate. We used that as our representation.
We preconfigure with public keys in much the same way that we preconfigure
with shared secrets. What else is there to tell?
Henry Spencer
henry@spsystems.net
Follow-Ups: