[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNS? was Key Management
In a galaxy far, far away, : Wed, 14 Aug 1996 16:55:59 PDT
> However, IPSEC only authenticates to IP addresses. There's no further
> identification in the IPSEC packets. Even if usernames or hostnames
> are used in generating keys, there's no well-defined way to get that
> information back to an application; all it has is getpeername().
Well, I'd say that is a limitation of the current APIs, not IPsec itself.
> I also think we should focus on shipping standards that hit the sweet
> spot (most gain for least pain), which includes securing communications
> among all the hosts with fixed IP addresses. If dynamically assigned
I agree here.
> IP addresses are easy, throw 'em in; if not, leave them for the next
> round of standards. Since everyone seems to think they're hard,
In that case, you authenticate the user. You do this by having the
user generate a certificate saying "Packets from a.b.c.d are from me until
<time>" and provide that certificate to the "server" during the key management
phase.
References: