[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.1 Identity protection questions?

To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: SOI QUESTIONS: 2.1 Identity protection questions?
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 18 Jun 2002 23:09:53 -0400 (EDT)
In-Reply-To: <E17KR8j-0001I7-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 18 Jun 2002, Theodore Ts'o wrote:
> Protecting *both* the identity the initiator and the responder against
> active attacks is very difficult...

I agree with the argument that protection of the initiator is usually more
important.  If nothing else, the fundamental asymmetry of the relationship
points that way:  the initiator can be anywhere, but it had to know how to
reach the responder, which often implies some degree of public knowledge
of the responder.

I'd prefer to see the initiator protected against active attacks, not just
passive.  And I'd go along with the idea of allowing the responder to ask
for an exchange of roles, preferably in the simplest way possible.

(NB:  I've left the FreeS/WAN project, and hence speak only for myself.)

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:
- Re: SOI QUESTIONS: 2.1 Identity protection questions?
  - From: Ari Huttunen <Ari.Huttunen@f-secure.com>

References:
- SOI QUESTIONS: 2.1 Identity protection questions?
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: RE: Son of IKE: A proposal for moving forward
Next by Date: JFK draft editing error?
Prev by thread: SOI QUESTIONS: 2.1 Identity protection questions?
Next by thread: Re: SOI QUESTIONS: 2.1 Identity protection questions?
Index(es):
- Date
- Thread