[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

replacing preshared keys

To: Paul Koning <pkoning@equallogic.com>
Subject: replacing preshared keys
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Thu, 20 Jun 2002 15:14:12 -0400
cc: mcr@sandelman.ottawa.on.ca, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Thu, 20 Jun 2002 13:56:18 EDT." <15634.5954.4000.837554@gargle.gargle.HOWL>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> A LOT longer.  Long enough that -- unlike preshared keys -- you cannot
> enter them manually.

how about either hash-of-public-key (i.e., key fingerprint) or
hash-of-selfsigned-cert or as the user-visible identification blob?

with truncated hashes, you can trade off security vs. ease-of-use.

> True.  But PK, even if all you ever use is selfsigned certs, still
> needs a lot more near-incomprehensible concepts than preshared keys
> do.

user runs a program to generate the node key and the self-signed cert
and it spits out the hash-of-key or hash-of-cert which is exchanged
out of band with peers.  i don't see particularly hard concepts there
in terms of explaining what you have to do..

						- Bill

References:
- Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: SOI QUESTIONS: 2.4 Number of crypto operations
Next by Date: RE: SOI QUESTIONS: 2.4-2.6
Prev by thread: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Next by thread: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Index(es):
- Date
- Thread