[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tylor" == Tylor Allison <allison@securecomputing.com> writes:
Tylor> On Tue, 18 Jun 2002, Theodore Ts'o wrote:
>> Again, IPSEC working group --- please discuss:
>>
>> 2.3.A.) Does SOI need to natively support "legacy authentication
>> systems"?
Tylor> Absolutely yes... for the same reasons everyone has stated.
>> 2.3.B.) Does SOI need to natively support some kind of "shared
>> secret" scheme?
Tylor> Yes... again for stated reasons. I just want to add the following...
Tylor> Many customers have deployed with pre-shared key authentication
Tylor> ... will
Tylor> these customers roll to IKEv2 if this authentication is not
Tylor> supported?
Tylor> What is their migration path?
They migrate from distributing opaque blobs of hex digits that must be
kept private to distributing opaque blobs of base64 digits that do not
benefit from staying private, but it doesn't hurt them either.
Can they tell the difference? The length is a bit longer.
Tylor> If pre-shared key authentication is not supported, is this WG
Tylor> going to
Tylor> define a minimal set of how PKI is to be used with VPNs? How
Tylor> keys/certs
PK, yes.
PKI, no. It is a PKIX problem.
Everyone please repeat: PK does not require I to be useful.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPRHxw4qHRg3pndX9AQEqgAP9FjwRSGSgnh1SicMesvng4XAMN4Ytcduf
Z5dewx6olu6Rn3ThZ5QmKAOVXwMHK8uMHog17/TV6R8Vv2T03IiV7jJt3CI8LsAA
nT5KoT13/IRJL1qCSRvsKylY857qZ+aa30zSiHkw9n03ygovxhD9QSV8BV1ULkr6
Cf44v+aSFTc=
=jDuR
-----END PGP SIGNATURE-----