[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "Hybrid Auth. mode for IKE"
Stephen Kent wrote:
> User's with passwords can be issued certs readily.
This is correct from a technical point of view. But the reality is more
complex, not to mention the current installation base.
> User's have certs as
> much as they have SecurID cards, S-Key software, etc. Any time we move
> beyond what a user can do personally to authenticate himself, to require
> computation, the line is blurred. Hardware tokens are certainly a good way
> to personalize computatiionally intensive auth mechanisms, but they are not
> the only game in town.
>
> The primary differences seem to be that your primary goal is to find a way
> to make use of existing user auth mechanisms with IPsec, period. My goal
> is to not degrade the minimum quality of security service offered by the
> use of IPsec. Hopefully there may be a way to satosfy both goals, but I am
> not prepared to backoff on mine in the name of "market demands, legacy
> systems, etc."
So what you are saying is that every one that is not yet ready to use
certificates and want to use a method not vulnerable to dictionary attack is
not allowed to use IPSEC?
Moshe
Follow-Ups:
References: