Re: Human I&A, IPsec, and their non-relationship

[Theodore Ts'o <tytso@MIT.EDU>]

   From: Ran Atkinson <atkinson@sundance.itd.nrl.navy.mil>
   Date: Wed, 14 Dec 1994 16:20:52 -0500

     I've been trying to sort out why so many folks appear to be talking
   past each other recently on this list.  I think I might have partly
   figured it out -- if I'm correct part of the problem is a
   communication gap between several folks (including me)....

Actually, I think the problem is that people have not been explicit
about their goals.....

   % Satisfying user granularity identification, authentication, and access
   % control at the IP layer seems to be one of those issues where desired
   % capabilities and feasibility clash.

	   I do not believe that anyone has proposed or is currently
   advocating use of network-layer or transport-layer encryption to
   provide human--computer identification or authentication.

Actually, over the past couple of IETF's, I have heard people saying,
"isn't IPSEC going to make Kerberos obsolete?"  I think there are those
who believe that the key management protocols and per-user keying of
connection is precisely enough to replace the functionality of
application level security protocols like Kerberos.  Of course, if
you're going to do this, there are all sorts of additional problems that
one has to solve, some of which have already been pointed out on this
list.

As long as we agree on the goals, then I hopefully a lot of this
miscommunication will go away.  

So --- are we all in agreement with Ran that IPSEC is *not* trying to
solve the human-computer authentication problem?

						- Ted

---

References:

• Human I&A, IPsec, and their non-relationship
• From: Ran Atkinson <atkinson@sundance.itd.nrl.navy.mil>

---

• Prev by Date: Re: Re[2]: key management
• Next by Date: Re: Re[2]: key management
• Next by thread: Re: IPSEC at Dec IETF
• Index(es):
  • Main
  • Thread