-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "mikech" == mikech <mikech @
mikech> implementations), I can tell you that the biggest hurdle
mikech> is its lack of an "accepted" key exchange
mikech> mechanism. Currently we are using a sneakernet, S/MIME or
I don't know where you have been for the past year, but the accepted
KMP is ISAKMP with Oakley. Not the best, not the easiest, and most
definitely not the one we will use in ten years (I hope), but
nevertheless the standard one.
At least ten vendors interoperated using ISAKMP, and the
Kent/Sao/Madson ESP transform document in early June in Detroit. That
included two Israeli vendors (who can only ship DES to north america),
and the Linux FreeSWAN project, and DataFellows.
mikech> PGP manual exchange mechanism for keys. Both SKIP and
mikech> Photuris are still at the development stage and are not
mikech> cross compatible.
Holy timewarp mail, batman.
mikech> *Our* problem is that once you get into automated key
mikech> exchanges you are talking public key crypto and royalties
mikech> out the ying-yang. DES/3DES and MD5 can be used royalty
Well, the Diffie-Hellman patent expires this September. If you are
satisfied to use DSA to sign your DH ephemeral exponents for ISAKMP,
then you can build ISAKMP royalty free. Elliptic curve public keying
algorithms are another route.
mikech> ;-) At least IBM granted the use of its IKMP protocol for
mikech> free in Photuris implementations (RFC 1822).
Photuris, while not mandatory standards track, is now seeing some
mikech> Until you can automatically swap keys, change them
mikech> mid-session, and work with any combination Firewall/OS,
Did that, been there.
] It isn't that sun never sets; rather dawn and dusk are united | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr @
ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----