[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Last ditch proposal for crypto suites
If a configuration has not been tested then it should not be offered.
So the folk who really think they need to use WAZOO, their bespoke public
crypto scheme should test WAZOO + AES + SHA1. The folk who really think they
need GUMPF symmetric encryption should check that with RSA and SHA1.
Somehow the fact that suites would force the WAZOO and GUMPF people to test
their two implementations against each other makes me feel happier about
things rather than worse.
Phill
> -----Original Message-----
> From: Paul Koning [mailto:pkoning@equallogic.com]
> Sent: Thursday, August 29, 2002 1:53 PM
> To: pbaker@verisign.com
> Cc: Charlie_Kaufman@notesdev.ibm.com; ipsec@lists.tislabs.com
> Subject: RE: Last ditch proposal for crypto suites
>
>
> If I heard Charlie right, the ability to handle a la carte negotiation
> would be optional, so if it turns out to be necessary after all, there
> would have to be a mad scramble to implement in in all the
> implementations that had left it out at first.
>
> Ok, so be it.
>
> One data point: in a past life when I implemented IPsec, we
> effectively implemented suites. The management interface had a MIB
> table of "crypto profiles" -- table rows with a name and a choice for
> each of the transforms. We supplied a default set of profiles, the
> obvious suspects: default-auth (md5 only); default-weak (md5 and des);
> default-strong (md5 and 3des). I don't remember anyone ever adding
> profiles to that list, unless they were testing oddball setups at
> bakeoff meetings...
>
> So I would argue that the suite approach is the best way to meet
> customer needs.
>
> paul
>