net (Frank Willoughby) says:
>>>Actually, the key management problem was solved by V-ONE a couple of years
>>>ago. (V-ONE is a firewall vendor).
>Padgett asks the obvious:
>>Sounds wonderful but pray tell *how* do they authenticate each other ?
>So Frank rites:
>Would it suffice to say that it was good enough for NSA - and that it is the
>*only* Internet firewall used in a NSA-approved configuration? In a public
>forum, this is probably all I can say.
Interesting. The only "approved configuration" I know of wasn't so
much NSA as DISA, and the cryptographic services were irrelevant to
its application. If you really do know of an "approved configuration"
involving crypto on a commercial firewall, then there are at least
*two* different "approved configurations" out there.
There have been several "solutions" to the "key management problem,"
and so far nobody, not even NSA, has come up with one that solves
everything. Choosing a key management scheme is just like any other
big mechanism decision: it depends on what your threats and
operational objectives are. PGP takes one approach yielding one set of
results, FORTEZZA takes another.
It is true that we can't pick apart the details of whatever these
government configurations *are* in a public forum. However, I suspect
that any 2 year old commercial implementation is probably at most
proprietary information. Most likely there's a public whitepaper
describing what V-One does, and how. If V-One (or its crypto
implementer) is represented on this list, it might be interesting to
hear a first hand report of what they really achieve.
com secure computing corporation