[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does IPsec undermine PKI?



David,

You are absolutely right.  The point paper is full of rubbish.

1. VPNs using firewalls with AH, ESP and ISAKMP (IPsec) plus
PKI authentication are available.  I tested Checkpoint's
Firewall-1 4.0 beta a few months ago.  It worked quite well
among Firewall-1 gateways.  It uses Entrust PKI, which
was rather combersome to install and manage.  I'm not sure
about the inter-operability of gateways among different
vendors.

2. The IPsec protocols use H-MD5 or H-SHA for MAC.
They are more secure than straight MD5 or SHA.

3. PKI is on a different layer from the IPsec protocols
IPsec does not care about the details of of the PKI, be it
X.509 or PGP.  Take my tested Firewall-1 as an example,
when comes to PKI stuff, it always calls the Entrust library
to deal with it.

Y. John Jiang, Internet Engineer, Internet Security, MCI
703-715-7480, v272-7480, 2100 Reston Parkway, Reston, VA  20191