From: Sam Hartman <hartmans-ietf@mit.edu>
To: wgchairs@ietf.org
Subject: Reminder: automated key management is often required for
newprotocols
Date: Tue, 21 Aug 2007 12:38:10 -0400 (EDT)
I wanted to send out a brief reminder to working group chairs about
RFC 4107. This BCP, published in June of 2005, gives guidance on when
our protocols need to have an automated key management mechanism.
By this point, you should expect to need to follow RFc 4107 for any
new protocols and should not be surprised when you are required to
update protocols to comply with RFC 4107 in order to significantly
increase their applicability.
In many cases, this means you will need to have an automated mechanism
for doing key management for security mechanisms your protocol. This
does not mean you need to support PKIs or even public-key operations.
If you have not already taken a look at RFc 4107 in the context of
your working group, please do so. If you have any questions Tim and I
would be happy to answer them.
I'm writing because it looks like I will file a number of discuss
positions this week asking for significant additional security work to
be done on protocols before they can be published. I'd like to avoid
such late surprises for future work.
Sam Hartman
Security Area Director