[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Public Keys to initiate IPsec.

To: <ipsec@lists.tislabs.com>
Subject: Re: Public Keys to initiate IPsec.
From: "Greg Carter" <greg@carter-engineering.com>
Date: Fri, 31 May 2002 23:18:32 -0400
References: <79FEAA5FABA7D411BF580001023D1BBD0174A7C3@mailserver.sylantro.com>
Sender: owner-ipsec@lists.tislabs.com

----- Original Message -----
From: "Eric Nielsen" <Eric.Nielsen@sylantro.com>
Subject: Public Keys to initiate IPsec.

>They may be symmetric keys for ESP or a private/public key pair for AH.
AH uses symmetric based cryptography.

> ========================================================================
> All that said, is there a streamlined process like this I can implement
> within IPsec/IKE/IKEv2/JFK today?

Not really, at least not in IKE v1.

>Are there key differences or security
> holes that may or may not make it possible to use this kind of process?

What you have describe as your phase one is in essence a PKI and enrolling a
client into that PKI with the one time password.  IKE assumes that you
already have the trust relationship in place, either through a shared key or
via a certified public key.  All(!)you are doing in IKE is verifying the
identity, you are not managing the identities credentials within your trust
'hierarchy'.  Combining the two operations would unnecessarily complicate
IKE.

Check out the PKIX working group, specifically RFC 2510, and/or RFC 2797.
But I would look into finding more about SCEP before implementing 2797 if
you want an "on line" enrolment protocol.

Bye.
Greg.

References:
- Public Keys to initiate IPsec.
  - From: "Eric Nielsen" <Eric.Nielsen@sylantro.com>

Prev by Date: Public Keys to initiate IPsec.
Prev by thread: Public Keys to initiate IPsec.
Index(es):
- Date
- Thread