Technical Summary
The question often arises of whether or not a given security system
requires some form of automated key management, or whether manual
keying is sufficient. This memo proposes guidelines for making such
decisions. The presumption is that when symmetric cryptographic
mechanisms are used in a protocol, then automated key management is
generally but not always needed. If manual keying is proposed, the
burden of proving that automated key management is not required falls
to the proposer.
Working Group Summary
While this specification is not the product of an IETF working
group, it has been reviewed in the SAAG. There was significant
support for publication in SAAG. Comments from the SAAG review have
been incorporated into the specification.
Protocol Quality
This document has been reviewed by Sam Hartman for the IESG.
RFC Editor Note
In the abstract:
s/proposes/provides/
old:
keying is sufficient. This memo proposes guidelines for making such
new:
keying is sufficient. This memo provides guidelines for making such
section 2:
old:
In general, automated key management SHOULD be used to establish
session keys. This is a very strong "SHOULD", meaning the
justification is needed in the security considerations section of a
proposal that makes use of manual key management.
new:
In general, automated key management SHOULD be used to establish
session keys. Justification is needed in the security considerations
section of a proposal that makes use of manual key management.
Section 2.2:
s/is/may be/
old:
Manual key management is a reasonable approach in any of these
situations:
new:
Manual key management may be a reasonable approach in any of these
situations:
IANA Note
No IANA actions are required by this document.