[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Son of Ike status

To: ipsec@lists.tislabs.com
Subject: RE: Son of Ike status
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Wed, 21 Aug 2002 13:09:06 -0700
In-Reply-To: <OFD9EFBBAD.F7AC3131-ON85256C1C.00540A5E-85256C1C.0054ABE0@iris.com>
References: <OFD9EFBBAD.F7AC3131-ON85256C1C.00540A5E-85256C1C.0054ABE0@iris.com>
Sender: owner-ipsec@lists.tislabs.com

At 11:24 AM -0400 8/21/02, Charlie_Kaufman@notesdev.ibm.com wrote:
>My plan was to say that messages could be half-encrypted/half-plaintext
>where the first half would always be plaintext and the second half
>encrypted and integrity protected. The encryption syntax would be the same
>as before but would start not immediately after the header but rather
>at the beginning of a particular playload type - that payload being
>whatever
>happened to appear first in the part of the message we wanted to encrypt.

An alternative is to have a payload called something like "Encrypted 
stuff" that contains other payloads. Recursion of this payload would 
be unneeded and should be prohibited.

>I was planning to say that only message 3 in the exchange could be so
>encoded... other messages had to be all cleartext or all plain.

An advantage of having messages 3 and 4 have the same structure 
(clear payloads and one encrypted enclosing payload) is that the 
responder could send informational messages in the clear in message 
4, such as "your key is in the wrong group and therefore I couldn't 
encrypt with it" or "your message 3 appears to be bogus, go away".

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- RE: Son of Ike status
  - From: Charlie_Kaufman@notesdev.ibm.com

References:
- RE: Son of Ike status
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: RE: Son of Ike status
Next by Date: RE: Son of Ike status
Prev by thread: RE: Son of Ike status
Next by thread: RE: Son of Ike status
Index(es):
- Date
- Thread