Re: [proxies] [IETF Proxy] Next Steps

"Glen Zorn" <gzorn@arubanetworks.com> Tue, 22 April 2008 07:00 UTC

Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8E2F28C455; Tue, 22 Apr 2008 00:00:44 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A42C928C455 for <proxies@core3.amsl.com>; Tue, 22 Apr 2008 00:00:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzrgFzaHnlL2 for <proxies@core3.amsl.com>; Tue, 22 Apr 2008 00:00:43 -0700 (PDT)
Received: from mail.arubanetworks.com (mail.arubanetworks.com [216.31.249.253]) by core3.amsl.com (Postfix) with SMTP id D0F6328C449 for <proxies@ietf.org>; Tue, 22 Apr 2008 00:00:43 -0700 (PDT)
Received: from aruba-mx1.arubanetworks.com ([10.1.1.17]) by mail.arubanetworks.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 22 Apr 2008 00:00:49 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 22 Apr 2008 00:00:42 -0700
Message-ID: <A3DA4C2546E1614D8ACC896746CDCF29011A39AB@aruba-mx1.arubanetworks.com>
In-Reply-To: <480D8136.9000702@restena.lu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [proxies] [IETF Proxy] Next Steps
Thread-Index: AcikP3+2n8C42Mx2S3a464xh/6Ku6AABqnSA
References: <7.0.1.0.2.20080416172531.02401228@nist.gov><200804171550.48931.stefan.winter@ restena.lu><480769A1.9080408@nitros9.org> <200804180911.39758.stefan.winter@restena.lu> <A3DA4C2546E1614D8ACC896746CDCF29011A353E@aruba-mx1.arubanetworks.com> <480D8136.9000702@restena.lu>
From: "Glen Zorn" <gzorn@arubanetworks.com>
To: "Stefan Winter" <stefan.winter@restena.lu>
X-OriginalArrivalTime: 22 Apr 2008 07:00:49.0939 (UTC) FILETIME=[98DDAE30:01C8A446]
Cc: proxies@ietf.org
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org

Stefan Winter <mailto:stefan.winter@restena.lu> scribbled on Tuesday,
April 22, 2008 1:10 PM:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>>> Certainly. Contractual bounds could be used. My personal preference
>>> would be to have an encryption channel between home and visited
>>> domain AAA servers (_not_ NASes) to eliminate the problem of
>>> paperwork at all, but I admit that this is almost impossible to do
>>> correct.
>> 
>> Not sure why you say this: getting the keys set up might be
>> politically or procedurally hard, but it seems technically
>> straightforward. 
> 
> I assume you are thinking of a manual key distribution between peers?
> That is an option for a small scale deployment for sure. With
> 1000 admin domains where every one may want to exchange secret
> information with everyone else, there would need to be 1000^2
> sets of keys in place. All peers are not allowed to be in
> possession of any keys but those concerning themselves. While
> it is technically possible (maybe), the deployment and
> maintenance hurdles of such a key blob are prohibitive.
> 
> Or did you mean something completely different that we simply
> overlooked? I'd be very eager to hear about it then!

Sorry, the "it" to which I was referring is the encrypted channel, not
the key distribution.  Key distribution seems always to be hard, whether
manual or "automatic"...

...
_______________________________________________
Proxies mailing list
Proxies@ietf.org
https://www.ietf.org/mailman/listinfo/proxies