Re: is manual keying mandatory

[Dave Carrel <carrel@ipsec.org>]

Sigh...  Please give it a rest!  Statements like "Its a commercial issue"
and "if companies can't make a successful IPSec product" are not
productive.  It's just pure sensationalism.  Can you give any reason why
you CAN NOT do manual keying??  Nothing says that it must be your only
keying method and nothing says that you have to make it scale.  Just that
you MUST provide it.

As for the rest of this message, I thought it was awfully convenient that
you asked that we not re-hash the opposing opinions and just that we
re-hash yours.  Also it was convenient that you ignored the responses to
your original question (including those from your own company).

The issue was decided long ago.  Whether I think it's a great decision or
not is basically irrelevant.  It _is not_ a bad decision.  It is one that
any reasonable person can work with.  And if you still dislike it, then
just ignore it and let the market decide.  (We're not writing laws her,
we're writing standards.)  If you have a good key management solution and
it is everything that your customers need, then they won't care if you
leave out manual keying.  Of course if you're wrong ...

Dave

> Ted, thanks for expressing the position I take 99.999% of the time. However,
> I'm afraid that I see this as a big issue. At it's heart, it's a
> "commercial" issue, a kind of problem we haven't had to deal with as much as
> other (harder?) technical issues. But, if companies can't make a successful
> IPSec product, then that's a problem in my book (I know not in everybody's
> book, etc. etc., please let's not rehash *that* issue again ;=)). And I
> think there's a very cogent case to be made that manual keying can't "work"
> (in a commercial sense of being scalable, supportable, security-risk-free,
> etc.) in everyday use on 10's of millions of machines - a space that certain
> people are trying to address with commercial products.
> 
> Would it be a good thing if some major (numbers-wise) implementations were
> explicitly non-compliant? That might be the alternative. How would that help
> the overall situation?
> 
> All this is the reason why I asked for information from people on the topic.
> There's still lots of issues outside of the IPSec specs that need
> addressing. Yet practically nobody responded with the detail I requested.
> Given how quick people usually are on this list, I take that as evidence
> that nobody's doing it in a general way... Or maybe it's so hard they want
> to keep it to themselves for competitive reasons :=} ?
> 
> Regards all,
> Steve
> 
> At 02:10 PM 3/20/98 -0500, Theodore Y. Ts'o wrote:
> >
> >
> >Can we please consider the issue of manual keying to be closed, please?
> >We've gone over this before many times --- and the only way to make
> >progress is to avoid continually revisiting issues which we've decided
> >in the past.  The Security Architecture document very clearly states
> >that manual keying is mandatory; there shouldn't be any confusion on
> >this issue at all.  Some of you may disagree with this decision, but we
> >decided this months ago.  Can we please give it a rest?
> >
> >							- Ted
> >
> >
> >
>