Re : keys visability (was : Re: auditing)

[Sara Bitan <sarab@xxxxxxxxxxxx>]

I don't see any reason why secret and private keys should be "visible" let 
alone be "modifiable". If secret keys are automatically generated (using 
let's say ISAKMP/Oakley), there is certainly no sense in modifying them, 
and no need in viewing them. Even if secure SNMP is used, this certainly 
decreases the security of the system. I think that it is good practice 
that private/ secret keys will never leave the machine on which they were 
generated (except maybe for key recovery purposes, and then a secure way 
of transporting the keys parts should be deviced).

The only case when you need to modify keys, is when you use manual 
keying. Even in this case, I think we should discuss if SNMP is the best 
way to enter these keys. 

I don't see any problem with having SNMP manage all but keys.

 Sara Bitan		sarab@radguard.com
 RADGUARD		http://www.radguard.com
 Tel-Aviv, Israel.
--------------------------------------------

On Thu, 3 Apr 1997, Uri Blumenthal wrote:

> Ran Atkinson says:
> > One could argue that it would be useful to have a standards-track SNMP 
> > IPsec MIB for diagnostic and auditing information.  If anyone wants to
> > volunteer to write up such a MIB for this WG to consider, please send 
> > an email to me and Paul Lambert.
> 
> OK, I volunteer. We'll talk about it in Memphis.
> 
> > I would suggest that things like
> > the crypto keys be kept outside such an SNMP MIB because it would be
> > unfortunate if a SNMP security breach caused an IPsec security breach.
> 
> I'm sorry but I have to disagree. 
> 
> 1. Without secure SNMP deployed, I find the wisdom of being
>    manageable via non-secure SNMP questionble.
> 
> 2. You either want IPSEC to be managed by SNMP or you don't.
>    In the first case, several crypto-related variables will 
>    have to be not only "visible" but "modifiable"...
>    That's life.
> -- 
> Regards,
> Uri		uri@watson.ibm.com
> -=-=-=-=-=-=-
> <Disclaimer>
>