PHB,
...
One major design limit in IPSEC and TLS is that both view the key
exchange as being integral to the security layer rather than a
separate service. I would like to separate out consideration of how
chunks of data passing over the net are tagged and bagged for
encryption and authentication from the question of key setup.
IKE is separate from ESP and AH. ESP and AH can be used independently of
IKE, although manual keying
is obviously not attractive in most cases. TLS is a different matter, in
that the handshake that
puts keys in place is integral to the data security protocol. However,
DTLS is used with SRTP
to secure VoIP, showing that the key exchange there can be used to
support other protocols.
There is no logical reason why the key negotiation for TLS, IPSEC and
tcpcrypt cant be shared.
yes, it could be, despite the erroneous assertions above ;-)
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
