[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: KISS for PKIX. (Was: RE:Asymmetric authentication

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Subject: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
From: "Waters, Stephen" <Stephen.Waters@xxxxxxxxxxxxx>
Date: Wed, 21 Jul 1999 15:06:52 +0100
Cc: ietf-pkix@xxxxxxx


>> From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
>> 
>> As you say, if the Phase1 authentication is based on a poorly kept shared
>> (group) key, anything can happen without the need to acquire a device. I
>> don't see that a well chosen, unique, well secured pre-shared secret is
much
>> worse than a certificate though.


>If the user is going to have to remember and enter a well chosen, unique
>shared secret, then why shouldn't he just remember his private key and
>do away with XAUTH?

>A private key doesn't have to be kept in a PSE on the pilferable
>laptop, it could be typed when the user establishes a connection.
>A 160 bit private key is (only) 15 S/KEY words, at 11 bits per word.

>1/2 :-)

Sorry, should have been clearer. I was assuming that the user remembers a
reasonably short password/pin that is used to access the pre-shared secret,
much in the same way as Smartcards can require pin numbers before you can
use the private key stored on them.

Pre-shared secrets can be quite long - 128 characters? - 1024bits. Easier to
remember than an RSA key maybe, but still, could be too long to remember
without writing it down.

Steve.

Follow-Ups:
- RE: KISS for PKIX. (Was: RE:Asymmetric authentication
  - From: Stephen Kent

Prev by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
Next by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
Previous by thread: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
Next by thread: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
Index(es):
- Date
- Thread