[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: speaking of keys
Stephen Kent wrote:
>
> If we choose more than one MUST value, then we should be able to rely
> on interoperability on either value, and people at least have an
> ability to pick one as a default. My original concern was that they
> might default to the biggest value (on the "bigger is better" theory
> of operation) and then we would get bad press re the expense of
> IPsec/IKE.
>
> Maybe we can't avoid this, but that was the concern I originally
> voiced. Another way of approaching this might be to mandate support
> for larger group sizes, but not yet mandate support for SPECIFIC
> groups at these larger sizes. That way user communities would be free
> to choose groups at bigger sizes and be assured of interoperability
> among various vendor products, but we could avoid creating defaults
> that we know users would select mindlessly.
>
One could put some guidance in the document about relative performance
and security merits of the mandated groups. Or even actual numbers
("at the time of writing, here's the deal on performance"). I think
that the best we can accomplish is to provide guidance to the
developers
trying to cut code for this standard. It's up to them to determine how
to best "package" this for the ultimate consumer.
I really don't have a problem with MUSTing a couple of groups at
least.
1024 - fast, but somewhat less secure
15xx - slower, but rather more secure
I can sympathize with not wanting to mandate the much larger groups.
Small
devices (telephones, for example) really do have some serious storage
and peformance issues, but storage is the real killer, as it turns
out. Bad engineering, if you ask me, but the reality is that there
are a whole poopload of these devices out in the field, with a bigger
poopload on the way. These things are *very* cost-sensitive. It
really
is the case that product line managers will agonize over feature
decisions
that might require adding another $0.50 to the hardware cost of the
device.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M70, MS 012, FITZ
Advisor Phone: (ESN) 393-9145 +1 613
763 9145
Security Architecture and Planning Fax: (ESN) 393-9435 +1 613
763 9435
Nortel Networks mleech@nortelnetworks.com
-----------------Expressed opinions are my own, not my employer's------