[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
On Thu, 20 Jun 2002, Michael Richardson wrote:
> >>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
> >> They migrate from distributing opaque blobs of hex digits that must be
> >> kept private to distributing opaque blobs of base64 digits that do not
> >> benefit from staying private, but it doesn't hurt them either.
> >>
> >> Can they tell the difference? The length is a bit longer.
>
> Paul> A LOT longer. Long enough that -- unlike preshared keys -- you
> Paul> cannot enter them manually.
>
> Not compared to a decent shared secret. If you want to do passwords, fine.
> However, since they do not need to be kept secret, you can cut and paste.
> For the client system, typing stuff in is not the end of the world. Here is
> a 1024 bit public key:
>
> AwEAAZ7PeJWDMO69GjPbXWaN0UnHnNj3lANETIAtluJbpLfVeVpRubsYTru4kYxU
> K999Ga/23/Aw7mZrI+wQ3uhF36Tuxw76ls3FsgJuWxqdzLxlZxM8r/lXNGUftLPk
> fxbTwXgsfKcqhJCfraPLFH0QhCRVN56EW3Y91YCIMMyRAHbR
>
> I wouldn't want to do that every day, but it is doable. Babble format
> would do an even better job.
>
> Paul> True. But PK, even if all you ever use is selfsigned certs, still
> Paul> needs a lot more near-incomprehensible concepts than preshared keys
> Paul> do.
>
> Only if you write a poor interface.
But that's the point... it's very possible to design a bad interface for
handling public keys (and innumerable ways to design a good one). Without
a clear and concise mandate from this WG on the minimum requirements for
PK/PKI, there will be interoperability problems (NOTE: this is not a
bits-on-the-wire issue but a deployment issue).... IKEv1 should serve as
an example for that! The same really can't be said for pre-shared keys...
they are simple, straight-forward, and almost guaranteed to interoperate
between any two vendors. Why throw it away?
> ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
> ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
=====================================================================
= Tylor Allison Secure Computing Corporation =========
=====================================================================