On 8/4/2014 9:51 AM, Stephen Kent wrote:
Viktor
On Thu, Jul 31, 2014 at 09:24:33PM +0100, t.p. wrote:
But on key management, I am not sure I agree with you. Yes, ECDHE
is a part of key management, but I would not think it on its own as
being key management; or put differently, you either have key
management or you do not, so 'authenticated key management'
seems to me .. well, not real. I look in vain for it in RFC2401
or RFC2828.
One tends to distinguish between key management and key agreement.
I've not previously seen ephemeral key agreement described as key
management.
I've published nothing on key management. I sometimes hear people talk
about it. I often misplace my keys and sometimes am locked out of my
house....
2 minute search:
http://en.wikipedia.org/wiki/Cryptographic_key_types
"One of the most important aspects of any cryptographic system is
key management..."
followed by a long list of types of key workings, including:
" Private ephemeral key agreement key
Private ephemeral key agreement keys are the private keys of
asymmetric key pairs that are used only once to establish one or more
keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and,
optionally, other keying material (e.g., Initialization Vectors).
"Public ephemeral key agreement key
Public ephemeral key agreement keys are the public keys of
asymmetric key pairs that are used in a single key establishment
transaction to establish one or more keys (e.g., key wrapping keys, data
encryption keys, or MAC keys) and, optionally, other keying material
(e.g., Initialization Vectors).
Looks to me like they are listed as key management methods.
More generally, for this draft, I would expect the term 'key management'
to have extremely broad and inclusive meaning, only barely qualifying as
a technical definition, simply because I thought this document was
intended for broad use.
Discussions on the topic of this draft have regularly included
statements along the lines of "I believe x" or "when I say y, I mean z",
presumably meaning that the speaker's personal usage represents a
definitive basis for the position they are espousing.
Another popular style of comment is to make fine-grained distinctions,
demanding significant nuance in usage.
All of which leads to the basic question of who this draft is for? I
thought it was for broad-based use among technicians, technical managers
and others, including folk who are not security experts and folk who
might not even be networking or computer experts.
It really would help to gain some rough consensus about the target
audience for this document, so that that population can be referenced
when attempting to evaluate choices, rather than having anyone attempt
to rely on their personal preferences, here on the IETF.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net