[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS? was Key Management



In a galaxy far, far away, : Wed, 14 Aug 1996 16:55:59 PDT
> However, IPSEC only authenticates to IP addresses.  There's no further
> identification in the IPSEC packets.  Even if usernames or hostnames
> are used in generating keys, there's no well-defined way to get that
> information back to an application; all it has is getpeername().

  Well, I'd say that is a limitation of the current APIs, not IPsec itself.

> I also think we should focus on shipping standards that hit the sweet
> spot (most gain for least pain), which includes securing communications
> among all the hosts with fixed IP addresses.  If dynamically assigned

  I agree here.

> IP addresses are easy, throw 'em in; if not, leave them for the next
> round of standards.  Since everyone seems to think they're hard,

  In that case, you authenticate the user. You do this by having the
user generate a certificate saying "Packets from a.b.c.d are from me until 
<time>" and provide that certificate to the "server" during the key management
phase.





References: