[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Extended authentication with ISAKMP/Oakley draft
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Ran" == Ran Canetti <canetti@watson.ibm.com> writes:
Ran> Roy,
Ran> When I said "adding new modes for ISAKMP/Oakley" I meant adding new
Ran> methods for carrying out phase 1 (on top of signature, encryption, etc).
There was some informal discussion about whether to perform the
undirectional user->server authentication during phase I or phase II.
Many OTP's may require *multiple* traversals to properly
authenticate. SecurID in NextPIN mode is one good example. X9.9/radius has
less clear requirements. They also benefit greatly from having their
communication channel encrypted, which the ISAKMP SA inherently provides.
Marcus also mentioned that doing the user->server authentication afterward
maps very nicely to the STS-III protocol, which has been extensively
analysed. Marcus also pointed out that in many environments issuing
certificates to users' is still too difficult, but that issuing certificates
to gateways wasn't difficult. This motivates doing token based authentication
even when the client software can handle certificates.
I was thinking that the authentication should go in phase I as well.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | I do IPsec policy code for SSH <http://www.ssh.fi/>
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
ON HUMILITY: To err is human, to moo bovine.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNJQT56ZpLyXYhL+BAQFRigL+NAiTKmBUGA6lUl1rGXLfQkNO0HybKSZP
RKI5HvFxrnQT5KzQcJ66Y785IEzIDBqm9ySqi7wyp4BmlU751jXw9VA0hdcpnOcf
rKWrwqn3CWaLcWahv1yGLniTcaNeM1kt
=HHxH
-----END PGP SIGNATURE-----
References: