[14619] in cryptography@c2.net mail archive
Re: Ease of setting up IPSEC
daemon@ATHENA.MIT.EDU (D.K. Smetters)
Sun Oct 12 17:07:00 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 12 Oct 2003 10:49:38 PDT
From: "D.K. Smetters" <smetters@parc.com>
To: John Gilmore <gnu@toad.com>
Cc: cryptography@metzdowd.com, rsalz@datapower.com, gnu@new.toad.com
John Gilmore wrote:
>Rich $alz said:
>
>
>>it might be more useful to create a user-friendly management
>>interface to IPsec implementations to join the zero or so already
>>
>>
>>
>We've been making it simpler in just about every release. Now you
>basically have to download the RPM, install it, it spits out a public
>key, and you install that public in your DNS in-addr records. Then
>
>
Ah, but that last is the kicker. I'm all for the whole
DNSSEC-as-key-distribution model, but we're
a long way from it in practice. In your example above, there are
actually two more
common versions of step 3: 1) user who doesn't even know he has a public
key takes it
to the guy in charge of maintaining DNS for his installation and
attempts to convince him
that he ought to put it in the user's machine's in-addr record. Or 2)
home/roaming user
who has no effective DNS service for his endpoint from his ISP looks at
his shiny new key
and wonders what to do. (Yes, in theory you could grease the wheels
with clever use of
dynamic DNS, but it's not currently deployed in a way that will help
most people with this
problem.)
--Diana
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
