Re: [dix] IETF requirement for automated key management

[John Merrells <merrells at sxip.com>]

On 5-Jun-06, at 4:43 PM, Eric Rescorla wrote:

> Sam Hartman <hartmans-ietf at mit.edu> writes:
>
> > Hi.  I want to draw your attention to RFC 4107.
> >
> > This rfc specifies a mandatory requirement for new work in the IETF
> > that except in a small number of cases that there needs to be
> > automated key management.  For example if you have a protocol like  
> > DIX
> > where there are MACs of messages, you need a key management solution
> > to set up and maintain these keys.
>
> As I understand DIX 16.2, the only way in which the MAC is used is for
> the Identity Agent to be able to determine that messages it has
> generated are valid. The MAC isn't verified by anyone else and
> a MAC is just a suggested implementation anyway. I'm not sure
> how automated key management would fit in here.

Correct, and I don't think it does either.

I'm working on a draft of how an Identity Agent Application (as opposed
to an Identity Agent Website) would work. When using the DIX message
signing and signature verification method this necessitates a  
collaborative
website to receive and process the verify request messages. The 'key'
then needs to be shared between the website and the application. RFC
4107 may play a part in that exchange.

John

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix