[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RESEND: Thoughts on identity attacks
Michael,
My recommendation is quite simple: Do not add any feature or capability to
the protocol (or indeed any protocol or product for that matter) unless
there is substantial reason to believe that it serves a useful purpose and
will be used.
It is simply good engineering practice not to build functionality into any
standard or product that is not truly needed or is not likely to be used.
Of course if is needed in the judgment of this list then we don't need to
have this debate. Paul's message specifically pointed out that there was no
response/interest and invited discussion on the subject. I am reporting
that I have not found any interest whatsoever in this feature in any
application that uses IPsec. (I mentioned VPNs only as an example.) Your,
and others', experience could well be different.
What will be of great help is for you, Paul or someone else to cite
sources/information that makes a case for putting this feature in. The
criteria being that such a feature would not only be useful in the judgment
of this list but also be perceived as useful by users/product makers. The
latter serves as an indication that the capability will actually get used.
By the way, it is probably not productive to exhume that old battle where
RFC writers/editors/contributors blame implementers for doing a
sloppy/mercenary job and implementers blaming RFC writers for producing
ambiguous, impractical and over engineered standards. Mistakes can and are
made on both sides. Please, let us not go there.
Khaja
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Michael Richardson
> Sent: Wednesday, February 06, 2002 12:16 PM
> To: Khaja E. Ahmed
> Cc: ipsec@lists.tislabs.com
> Subject: Re: RESEND: Thoughts on identity attacks
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Khaja" == Khaja E Ahmed <khaja.ahmed@attbi.com> writes:
> Khaja> Perhaps the fact that there were no responses suggests that not
> Khaja> enough people think it is important. Let me introduce
> a counter
> Khaja> view. I not only think it is not important but I think that
> Khaja> pursuit of this goal risks further complicating an already too
> Khaja> complicated protocol. I really think our energies are best
> Khaja> directed at more important issues.
>
> Yes, like getting a PKI implementation that people can actually use.
>
> I'll bet that 90% of the "complexity" of IKE is really the I of PKI.
>
> Khaja> After a year of discussions on requirements with product
> Khaja> management of all the big VPN manufacturers, I have never even
>
> Well, that's nice. I suggest that you write an IPsec VPN BCP.
> This is not the VPN WG.
>
> Khaja> I think most companies find PKI itself too
> complicated. Both VPN
>
> I think that most companies have made very poor purchasing decisions
> when it comes to PKI products. I can't blame them. The offerings have been
> very horrible.
>
> ] ON HUMILITY: to err is human. To moo, bovine. |
> firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON
> |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/
> |device driver[
> ] panic("Just another NetBSD/notebook using, kernel hacking,
> security guy"); [
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: latin1
> Comment: Finger me for keys
>
> iQCVAwUBPGGPB4qHRg3pndX9AQEphwP+K6C6BZ+o70+TUIWHvoGmLAfYjv3ADXKd
> 5+nBfYH8JrFHO7EWuXWjuJTWXmSdlV/AN/1nrqS2WHRs/ceFGHlrk7+BisJyg6VC
> 33yWXkmD7p1OCgGqWhkkl0WQnuN3Yu0I078rHhz/TxAXtX7lbvZ44ggcrmbM2usI
> GSrfbOW80NI=
> =wQ58
> -----END PGP SIGNATURE-----