[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do ipsec vendors care about privacy?

To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: Do ipsec vendors care about privacy?
From: Derrell Piper <ddp@electric-loft.org>
Date: Fri, 21 Mar 2003 07:12:40 -0800
Cc: IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.21.0303210850390.16947-100000@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

Hugo,

I continue to agree with this sentiment.  I think it's important to 
protect IDi for remote client access.

I prefer the second choice outlined: having the responder authenticate 
itself in message 2.

I do not think this change is too radical to adopt at this late time.  
It just needs some tender loving consensus.

Derrell

On Thursday, March 20, 2003, at 11:10  PM, Hugo Krawczyk wrote:

> I agree: no time for major surgery on the document.
> But not too late for a change that takes 1-5 minutes editorial work
> On the other hand, I admit that there are some operational issues
> that are not fully resolved in my proposals and need more input from
> people that care and know better. If this does not come on time
> to make the document before being closed then we will not have it.
>
> On the other hand, user's id protection in the remote access protocol 
> of
> ikev2 IS A NATURAL REQUIREMENT according to anything I heard from ipsec
> developers (on the list and outside the list). So giving the 
> opprtunity to
> this substantial improvement if it comes at little cost and on time is 
> a
> reasonable thing to do.
>
> In any case, ,I raised the issue and two possible solutions, but I am 
> not
> the one that needs to decide if the WG is to adopt this or not. THOSE 
> THAT
> CARE (in one way or another) SHOULD SPEAK UP.
>
> If there is not enough interest, then nothing needs to be done.
> At least it will be documented that this was a conscious decision 
> rather
> than an overlook or the result of simple rushing.
> (This will help against future criticizers of the protocol that wil
> raise these issues in their papers...)
>
> I will be glad to see some technical discussion in the coming days
> if people care about having such discussions. Beyond that I am not 
> going
> to insist (this is not an area of "correct cryptographic design" for
> which I personally care but rather one of engineering trade-offs that
> other understand better than me).

References:
- Re: Do ipsec vendors care about privacy?
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: AES-based PRF for IKEv2
Next by Date: AES-based PRF for IKEv2
Prev by thread: Re: Do ipsec vendors care about privacy?
Next by thread: Re: Do ipsec vendors care about privacy?
Index(es):
- Date
- Thread