[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Choosing between IKEv2 and JFK

To: Stephen Kent <kent@bbn.com>
Subject: Re: Choosing between IKEv2 and JFK
From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
Date: Fri, 08 Mar 2002 16:34:25 -0500
Cc: Jan Vilhuber <vilhuber@cisco.com>, Eric Rescorla <ekr@rtfm.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 08 Mar 2002 12:06:44 EST." <p0510031ab8ae9fd47c4b@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com


Steve, yes -- I was simply pointing out that one can *also* cache the
result, to avoid re-verification.
-Angelos

In message <p0510031ab8ae9fd47c4b@[128.89.88.34]>, Stephen Kent writes:
 >
 >		<SNIP>
 >
 >>
 >>You don't cache the certificates, you cache the result of the verification of
 >>the certificates. If you received the same set of certificates as an hour ago
 >>(when you established the SA last), and you verified all the signatures then,
 >>you don't need to re-check the signatures. You need to verify the 
 >>RSA signature
 >>on the message itself.
 >
 >Angelos,
 >
 >In many cases, caching validated certs is appropriate, because one 
 >may have an opportunity to reuse CA certs that were part of the cert 
 >path.
 >
 >Steve

Follow-Ups:
- Re: Choosing between IKEv2 and JFK
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Choosing between IKEv2 and JFK
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Call for agenda items
Next by Date: Re: Choosing between IKEv2 and JFK
Prev by thread: Re: Choosing between IKEv2 and JFK
Next by thread: Re: Choosing between IKEv2 and JFK
Index(es):
- Date
- Thread