[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "Hybrid Auth. mode for IKE"
>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
Stephen> IPsec, period. My goal is to not degrade the minimum quality of
Stephen> security service offered by the use of IPsec. Hopefully there
Stephen> may be a way to satosfy both goals, but I am not prepared to
Stephen> backoff on mine in the name of "market demands, legacy systems,
Stephen> etc."
So long as the market provides a superset of what you need, and provides
knobs for the policy controls, shouldn't you be able to do what you want?
[It would also be nice for all vendors on a particular platform to provide
a way (an API) to subsitute a different certificate validation function so
that PKIX name constraints could be introduced into products that don't
understand the extensions, but that is something perhaps for PKIX to
standardize]
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
ON HUMILITY: To err is human, to moo bovine.
References: