Michael Richardson wrote:
> I don't know where you have been for the past year, but the accepted
> KMP is ISAKMP with Oakley. Not the best, not the easiest, and most
> definitely not the one we will use in ten years (I hope), but
> nevertheless the standard one.
> At least ten vendors interoperated using ISAKMP, and the
> Kent/Sao/Madson ESP transform document in early June in Detroit. That
> included two Israeli vendors (who can only ship DES to north america),
> and the Linux FreeSWAN project, and DataFellows.
I don't know where you've been, but check the S/WAN interoperability page.
Not much happening with ISAKMP. I don't know who's "accepted" ISAKMP as the
> mikech> *Our* problem is that once you get into automated key
> mikech> exchanges you are talking public key crypto and royalties
> mikech> out the ying-yang. DES/3DES and MD5 can be used royalty
> Well, the Diffie-Hellman patent expires this September. If you are
> satisfied to use DSA to sign your DH ephemeral exponents for ISAKMP,
> then you can build ISAKMP royalty free. Elliptic curve public keying
> algorithms are another route.
And with SKIP there are no royalties. SKIP use of public key technology is
royalty free and you don't have to use DSA nor implement elliptic curve
> mikech> ;-) At least IBM granted the use of its IKMP protocol for
> mikech> free in Photuris implementations (RFC 1822).
> Photuris, while not mandatory standards track, is now seeing some
> movement again.
SUN put the SKIP patents into the public domain, not just granted use.
> mikech> Until you can automatically swap keys, change them
> mikech> mid-session, and work with any combination Firewall/OS,
> Did that, been there.
Doing that with SKIP today!
::: chris :::