[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)

To: "Tylor Allison" <allison@securecomputing.com>, "Michael Richardson" <mcr@sandelman.ottawa.on.ca>
Subject: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
From: "Scott Fanning" <sfanning@cisco.com>
Date: Thu, 20 Jun 2002 21:01:07 -0700
Cc: "Paul Koning" <pkoning@equallogic.com>, <ipsec@lists.tislabs.com>
References: <200206210337.g5L3bln23920@marajade.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com

Alot of times, its just the user community not understanding how a PKI (or
even PK) works. IKE/IPsec should not be targeted for the knowledgeable user,
but also for those who know they need security, but want it easy (SOHO
environments come to mind). The "Super-duper secret password" is easy to
figure out. If we can support PSK (which is my vote) and PKI (or just PK),
then as the user becomes more comfortable with the technology, then the move
to PKI will be a less painful one (if the CA vendors make their CAs easy to
use).

I like the MUST for PK and a SHOULD for PSK. Maybe Dan can re-publish his
PSK draft again :-)

As for PFS, if its there, it has to be negotiated. I would prefer that it be
optional so that the widest possible platforms can support IKE/IPsec (CPU
constraints, memory etc).

I think these kind of discussions (which in most cases seem quite focused)
is very useful. Keep those cards and letter coming :-)

Regards
Scott
----- Original Message -----
From: "Michael Richardson" <mcr@sandelman.ottawa.on.ca>
To: "Tylor Allison" <allison@securecomputing.com>
Cc: "Paul Koning" <pkoning@equallogic.com>; <ipsec@lists.tislabs.com>
Sent: Thursday, June 20, 2002 8:37 PM
Subject: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)

>
> >>>>> "Tylor" == Tylor Allison <allison@securecomputing.com> writes:
>     Tylor> But that's the point... it's very possible to design a bad
>     Tylor> interface for handling public keys (and innumerable ways to
design
>     Tylor> a good one).  Without a clear and concise mandate from this WG
on
>     Tylor> the minimum requirements for PK/PKI, there will be
>     Tylor> interoperability problems (NOTE: this is not a bits-on-the-wire
>     Tylor> issue but a deployment issue).... IKEv1 should serve as an
example
>     Tylor> for that!  The same really can't be said for pre-shared keys...
>     Tylor> they are simple, straight-forward, and almost guaranteed to
>     Tylor> interoperate between any two vendors.  Why throw it away?
>
>   You'd think so, wouldn't you, yet I've seen some pretty bad interfaces.
>
>   No, the only reason why the pre-shared key interface was simple was
because
> developers used it for testing. They never used PKI stuff except at
bakeoffs,
> because few *developers* know how to setup the PKI stuff, let alone have
> a budget to buy a copy of something with a manual.
>
> ]       ON HUMILITY: to err is human. To moo, bovine.           |
firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net
architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device
driver[
> ] panic("Just another NetBSD/notebook using, kernel hacking, security
guy");  [

References:
- Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Next by thread: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Index(es):
- Date
- Thread