[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.1 Identity protection questions?



> > Note that this has implications for re-keying: the responder may
> > not be able to initiate re-keying if that implies re-authenticating.
> > I know some gateway vendors for some reason wish to do that.
> 
> Without a responder lifetime notify or some kind of negotiated lifetimes,
> you can't control who rekeys first.

Tying this together with 2.2 (PFS):

You can't really be said to have forward-secrecy properties unless you
have an idea of when the peer's going to destroy the last of the
keying material.

Note that explicit SA deletion requests are not sufficient for this,
because one or both of the peers could have transient or unreliable
connectivity and deletion might not be possible or might not succeed.

						- Bill