Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Tylor" == Tylor Allison <allison@securecomputing.com> writes:
    Tylor> But that's the point... it's very possible to design a bad
    Tylor> interface for handling public keys (and innumerable ways to design
    Tylor> a good one).  Without a clear and concise mandate from this WG on
    Tylor> the minimum requirements for PK/PKI, there will be
    Tylor> interoperability problems (NOTE: this is not a bits-on-the-wire
    Tylor> issue but a deployment issue).... IKEv1 should serve as an example
    Tylor> for that!  The same really can't be said for pre-shared keys...
    Tylor> they are simple, straight-forward, and almost guaranteed to
    Tylor> interoperate between any two vendors.  Why throw it away?

  You'd think so, wouldn't you, yet I've seen some pretty bad interfaces.

  No, the only reason why the pre-shared key interface was simple was because
developers used it for testing. They never used PKI stuff except at bakeoffs,
because few *developers* know how to setup the PKI stuff, let alone have
a budget to buy a copy of something with a manual.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [