The WG's inability to choose is good in this case.
HUGO@watson.ibm.com Thu, 19 September 1996 15:26 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa08114; 19 Sep 96 11:26 EDT
Received: by relay.hq.tis.com; id LAA07358; Thu, 19 Sep 1996 11:30:21 -0400
From: HUGO@watson.ibm.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from sol.hq.tis.com(10.33.1.100) by relay.tis.com via smap (V3.1.1) id xma007345; Thu, 19 Sep 96 11:29:52 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA24898; Thu, 19 Sep 96 11:29:03 EDT
Received: by relay.hq.tis.com; id LAA07338; Thu, 19 Sep 1996 11:29:50 -0400
Received: from igw2.watson.ibm.com(129.34.139.6) by relay.tis.com via smap (V3.1.1) id xma007330; Thu, 19 Sep 96 11:29:45 -0400
Received: from mailhub1.watson.ibm.com (mailhub1.watson.ibm.com [9.2.249.31]) by igw2.watson.ibm.com (8.7.4/8.7.1) with ESMTP id LAA16665; Thu, 19 Sep 1996 11:32:36 -0400
Received: from yktvmv.watson.ibm.com (yktvmv.watson.ibm.com [9.117.33.29]) by mailhub1.watson.ibm.com (8.7.1/09-08-96) with SMTP id LAA567568; Thu, 19 Sep 1996 11:32:06 -0400
Message-Id: <199609191532.LAA567568@mailhub1.watson.ibm.com>
Received: from YKTVMV by yktvmv.watson.ibm.com (IBM VM SMTP V2R3) with BSMTP id 8048; Thu, 19 Sep 96 11:31:49 EDT
Date: Thu, 19 Sep 1996 10:29:34 -0400
To: ipsec@TIS.COM
Cc: gnu@toad.com, jlawler@vpnet.com
Subject: The WG's inability to choose is good in this case.
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
John Gilmore says: > We are stuck for a good reason; we don't want to make a good political > decision. We want to make a good technical decision, and there is no > good technical choice for securing the Internet right now. The IPSEC > process is working. It looks too slow because the technical proposals > and implementations need to evolve faster than they have been, not > because the consensus process has failed. > There is NO strong technical reason that impedes the convergence of ISAKMP, Oakley and SKIP. There is nothing essentially contradictory between these protocols. Technically, they can be merged at not much cost. (Of course, the resultant protocol will not be as simple as the basic SKIP, but the latter is in any case not an IPSEC-acceptable stand-alone solution as it does not provide PFS). Therefore, I conclude, the difficulties in finding a common ground are purely political. In order to accomodate SKIP functionality into Oakley there are two issues to decide on: (1) Support of DH-certificates (2) Support of in-line keying These two issues are mostly independent (ie, the decision on one does not depend on the other). Support for (2) can be added to Oakley with no implication to the rest of the protocol (some issues are: (a) mandatory-vs-optional to implement, (b) separate header for carrrying the packet key or combined into the existing ESP and AH transforms, (c) SPI allocation) Support for (1), especially if mandatory, is more delicate. It would mean that each IPSEC-compliant host will need a DH certificate. (As opposed to, say, an RSA or DSS certificate). It means also that we'll need to define a universal DH group (e.g. prime p and generator g) on which to work. I am personally not enthusiastic about the latter but was (and am) willing to accept it in order to resolve the WG deadlock. In particular, I have suggested particular ways to accomodate DH-certificates for key derivation in Oakley (actually this is part of my suggestions in my SKEME proposal from a year ago). One personal clarification regarding (2): in my opinion, there is a strong technical basis to require key exchange/refreshment via authenticated handshakes as supported by Oakley (even if in-line keying is also supported by the protocol). And I believe (hope) that SUN (in particular, Ashar) would not oppose that. Hugo