Re: A problem with public key encrption in IKE

[francisco_corella@xxxxxx]

    Steve,
    
    You're right.  The non-repudiation feature does not seem very useful 
    for IPSEC.  One really has to sign a specific document to take 
    advantage of that feature.
    
    On the other hand, the repudiability feature of pk encryption does 
    seem useful.  To take as an example an issue that has been in the news 
    recently, suppose a gay serviceman (in the US armed forces) is 
    accessing a gay web site (he would be using SSL rather than IPSEC, but 
    I'm just trying to illustrate the repudiability feature).  If he uses 
    a digital signature for authentication, the military would be able to 
    prove that he has accessed the site.  If he uses pk encryption, the 
    military will not be able to prove it.  So the serviceman would find 
    value in using pk encryption rather than digital signature.
    
    Since non-repudiation does not seem useful but repudiability does seem 
    useful, this suggests that, as a general design principle, one should 
    use pk encryption for authenticating connections rather than 
    signatures.
    
    I'm not proposing to drop signatures from IKE, of course, I'm just 
    theorizing.
    
    Francisco


______________________________ Reply Separator _________________________________
Subject: Re: A problem with public key encrption in IKE
Author:  Non-HP-kent (kent@bbn.com) at HP-ColSprings,mimegw5
Date:    12/14/99 12:38 PM


Francisco,
    
Whether a signature provides a basis for non-repudiation depends on 
the details of the generation process.  Note that in the case of 
IPsec, at most one might be able to prove that a peer initiated an 
SA, but the signature applied during the IKE exchange would not say 
anything about what data was sent on the SAs later.  So, while I like 
the use of signatures for IKE authentication, I would not argue too 
strongly for them based on any non-repudiation basis.
    
Steve