RE: Please save the pre-shared key mode

[Alex Alten <Alten@netvista.net>]

Jan,

Cut it out.  Going PK implies PKI, which in turn implies X.509.
Don't try to BS the fact that X.509 is a beast to use.  You got
everything from signature chain checking to X.500 name space to
all sorts of attribute extensions.  Heck I'm into this stuff,
and Microsoft did a good job with their email client GUI, yet
I finally gave up signing my emails because there was always 
something I had to do to keep it going or to work around some
stupid interoperability problem.

- Alex

At 12:44 PM 12/7/2001 -0800, Jan Vilhuber wrote:
>On Fri, 7 Dec 2001, Wang, Cliff wrote:
>
>> 
>> This thread is talking about saving the pre-shared key mode, instead of
>> saying nothing else works.
>> 
>> I am not sure how you can hide a whole PKI system away under smart UI?
>
>I'm not about to design your products for you, but several alternatives have
>been proposed, ranging from using self-signed pre-shared certs and using
>key-finger-prints in lieu of a pre-shared key. The rest is up to you.
>
>> I am also not sure how smart UI can solve the issue that on Cisco low end
>> box PKI based IPsec performs much slower in comparison to PSK based IPsec.
>> 
>The last point seems completely off topic. I can't run linux on my wristwatch
>either. What's the point? New things may only work on newer boxes.
>
>jan
>
>
>
>
>> 
>> -----Original Message-----
>> From: Jan Vilhuber [mailto:vilhuber@cisco.com] 
>> Sent: Friday, December 07, 2001 2:58 PM
>> To: Wang, Cliff
>> Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
>> Subject: RE: Please save the pre-shared key mode
>> 
>> 
>> On Fri, 7 Dec 2001, Wang, Cliff wrote:
>> 
>> > >From the operation point of view, PSK is quick and easy to set up 
>> > >service.
>> > It works and customers are happy. It is more real than a myth.
>> > 
>> The myth is that nothing else works. PSK is a behind-the-scenes
abstraction,
>> that good programmers can hide from users altogether. A good UI can hide
any
>> other mechanism as well and make it as easy to configure.
>> 
>> jan
>> 
>> 
>> > 
>> > 
>> > -----Original Message-----
>> > From: Jan Vilhuber [mailto:vilhuber@cisco.com]
>> > Sent: Thursday, December 06, 2001 6:39 PM
>> > To: Wang, Cliff
>> > Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
>> > Subject: RE: Please save the pre-shared key mode
>> > 
>> > > On the
>> > > other hand, PSK based IKE and PKI based IKE has been the main way
people
>> > > deploying VPN. Under that context, PSK is simpler to run than PKI.   
>> > > 
>> > I think that's the myth Dan was talking about.
>> > 
>> > jan
>> > 
>> > 
>> > 
>> > > 
>> > > -----Original Message-----
>> > > From: Dan McDonald [mailto:danmcd@east.sun.com]
>> > > Sent: Thursday, December 06, 2001 1:28 PM
>> > > To: Wang, Cliff
>> > > Cc: ipsec@lists.tislabs.com
>> > > Subject: Re: Please save the pre-shared key mode
>> > > 
>> > > 
>> > > > 1) Simplicity
>> > > > Pre-shared key mode is simpler to support by eliminating the 
>> > > > requirement of supporting complex PKI.
>> > > 
>> > > It's a myth that public-key implies you MUST have a PKI.
>> > > 
>> > > Self-signed certs combined with explicit out-of-band trust models is
>> > > just a non-cumbersome as pre-shared keys, IMHO, and they also offer 
>> > > IP-address-portability.  (Henry Spencer, correct me if I'm wrong, but 
>> > > FreeSWAN has a self-signed cert model that works, right?)
>> > > 
>> > > If we keep pre-shared, let's have a scalable way of identifying 
>> > > them.
>> > > In a multi-homed world (esp. IPv6), pre-shared keys indexed by address 
>> > > pairs is as much hassle as PKI registration (it's just less snake-oil 
>> > > than most PKIs ;).
>> > > 
>> > > For testing, I run server machines with self-signed certs.  For 
>> > > small
>> > > (10-100) numbers of clients, it works out _quite_ nicely, and w/o any 
>> > > of the PKI cruft.  Peer-to-peer explosions is about the only case 
>> > > where PKI is really needed, and pre-shared won't help you any there 
>> > > either.  It's just a matter of running certificate-generation, e-mail, 
>> > > and verifying hashes out-of-band.
>> > > 
>> > > I'm not totally against nuking pre-shared.  It's not, however, the
>> > > panacea of simplicity many think it is, and simplicity arguments don't 
>> > > hold water.
>> > > 
>> > > Dan
>> > > 
>> > 
>> >  --
>> > Jan Vilhuber
vilhuber@cisco.com
>> > Cisco Systems, San Jose                                     (408)
527-0847
>> > 
>> 
>>  --
>> Jan Vilhuber                                            vilhuber@cisco.com
>> Cisco Systems, San Jose                                     (408) 527-0847
>> 
>
> --
>Jan Vilhuber                                            vilhuber@cisco.com
>Cisco Systems, San Jose                                     (408) 527-0847
>
>
>
--

Alex Alten
Alten@Home.Com

---

Follow-Ups:

• RE: Please save the pre-shared key mode
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: Please save the pre-shared key mode
• From: Sandy Harris <sandy@storm.ca>
• RE: Please save the pre-shared key mode
• From: Henry Spencer <henry@spsystems.net>

References:

• RE: Please save the pre-shared key mode
• From: "Wang, Cliff" <CWang@smartpipes.com>
• RE: Please save the pre-shared key mode
• From: Jan Vilhuber <vilhuber@cisco.com>

---

• Prev by Date: RE: Please save the pre-shared key mode
• Next by Date: RE: Please save the pre-shared key mode
• Prev by thread: RE: Please save the pre-shared key mode
• Next by thread: RE: Please save the pre-shared key mode
• Index(es):
  • Main
  • Thread