[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: lack of PFS considered harmful
On Fri, 13 Oct 2000, Paul Leach wrote:
>
>
> > -----Original Message-----
> > From: Bill Sommerfeld [mailto:sommerfeld@xxxxxxxxxxxx]
> > Sent: Friday, October 13, 2000 6:00 PM
> > To: Paul Leach
> > Cc: Jan Vilhuber; Michael Thomas; Greg Troxel; ietf-kink@xxxxxxxx
> > Subject: Re: lack of PFS considered harmful
> >
> >
> > > The good news is that I believe use of PK options of Kerberos with
> > > Diffie-Hellman certified keys gets us pretty close to PFS.
> >
> > "Pretty Close" and "Perfect" don't mix. Also, requiring changes to
> > the Kerberos protocol or KDC to support KINK would be out of scope for
> > this working group.
>
> I agree. In fact, I agreed in the part of the post you excised. I was
> just noting that the fix to kerberos (and the fact that it's pretty
> close indeed means that a fix would be needed) might not be too hard.
>
> >
> > I still think the path of least resistance for KINK is to reuse as
> > much of IKE as possible, just using kerberos as an authentication
> > method..
>
> Yuck. The road to hell is often the path of least resistance.
>
And IKE bashing (Yuck! NOT IKE!) seems to be some sort of 'least resistance'
kind of thing, too.
It makes perfect sense to reuse IKE packet formats where possible. No one is
suggesting doing cookies, and other things that make IKE complicated. Reusing
packet-formats make perfect sense because there's well-tested code to parse
them already out there.
jan
--
Jan Vilhuber vilhuber@xxxxxxxxx
Cisco Systems, San Jose (408) 527-0847