[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
>>>>> "Tylor" == Tylor Allison <allison@securecomputing.com> writes:
Tylor> But that's the point... it's very possible to design a bad
Tylor> interface for handling public keys (and innumerable ways to design
Tylor> a good one). Without a clear and concise mandate from this WG on
Tylor> the minimum requirements for PK/PKI, there will be
Tylor> interoperability problems (NOTE: this is not a bits-on-the-wire
Tylor> issue but a deployment issue).... IKEv1 should serve as an example
Tylor> for that! The same really can't be said for pre-shared keys...
Tylor> they are simple, straight-forward, and almost guaranteed to
Tylor> interoperate between any two vendors. Why throw it away?
You'd think so, wouldn't you, yet I've seen some pretty bad interfaces.
No, the only reason why the pre-shared key interface was simple was because
developers used it for testing. They never used PKI stuff except at bakeoffs,
because few *developers* know how to setup the PKI stuff, let alone have
a budget to buy a copy of something with a manual.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [