> -----Original Message-----
> From: Bill Sommerfeld [mailto:sommerfeld@xxxxxxxxxxxx]
> Sent: Friday, October 13, 2000 6:00 PM
> To: Paul Leach
> Cc: Jan Vilhuber; Michael Thomas; Greg Troxel; ietf-kink@xxxxxxxx
> Subject: Re: lack of PFS considered harmful
>
>
> > The good news is that I believe use of PK options of Kerberos with
> > Diffie-Hellman certified keys gets us pretty close to PFS.
>
> "Pretty Close" and "Perfect" don't mix. Also, requiring changes to
> the Kerberos protocol or KDC to support KINK would be out of scope for
> this working group.
I agree. In fact, I agreed in the part of the post you excised. I was just noting that the fix to kerberos (and the fact that it's pretty close indeed means that a fix would be needed) might not be too hard.
>
> I still think the path of least resistance for KINK is to reuse as
> much of IKE as possible, just using kerberos as an authentication
> method..
Yuck. The road to hell is often the path of least resistance.
Paul