[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "Hybrid Auth. mode for IKE"
- To: suresh@livingston.com (Pyda Srisuresh)
- Subject: Re: Comments on "Hybrid Auth. mode for IKE"
- From: Stephen Kent <kent@bbn.com>
- Date: Mon, 3 Aug 1998 15:05:52 -0400
- Cc: ipsec@tis.com
- In-Reply-To: <199807270005.RAA05146@kc.livingston.com>
- References: <v03110715b1dfa1879858@[128.33.238.39]> from "Stephen Kent" atJul 25, 98 06:10:58 pm
- Sender: owner-ipsec@ex.tis.com
Suresh,
I'm glad we have clarified a number of misunderstandings, though a few
still remain.
>I see your clever rewording :-).
>In reality, users dont have certs and there is a strong demand to
>support existing auth. mechanisms to avail of the IPsec services.
User's with passwords can be issued certs readily. User's have certs as
much as they have SecurID cards, S-Key software, etc. Any time we move
beyond what a user can do personally to authenticate himself, to require
computation, the line is blurred. Hardware tokens are certainly a good way
to personalize computatiionally intensive auth mechanisms, but they are not
the only game in town.
The primary differences seem to be that your primary goal is to find a way
to make use of existing user auth mechanisms with IPsec, period. My goal
is to not degrade the minimum quality of security service offered by the
use of IPsec. Hopefully there may be a way to satosfy both goals, but I am
not prepared to backoff on mine in the name of "market demands, legacy
systems, etc."
Steve
Follow-Ups: