[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on "Hybrid Auth. mode for IKE"

To: Stephen Kent <kent@bbn.com>
Subject: Re: Comments on "Hybrid Auth. mode for IKE"
From: Moshe Litvin <moshe@checkpoint.com>
Date: Mon, 03 Aug 1998 19:48:44 -0700
CC: Pyda Srisuresh <suresh@livingston.com>, ipsec@tis.com
References: <v03110715b1dfa1879858@[128.33.238.39]> from "Stephen Kent" at Jul 25, 98 06:10:58 pm <v03110700b1e2448c6f64@[128.89.0.110]>
Sender: owner-ipsec@ex.tis.com

Stephen Kent wrote:

> User's with passwords can be issued certs readily.

This is correct from a technical point of view. But the reality is more
complex, not to mention the current installation base.

> User's have certs as
> much as they have SecurID cards, S-Key software, etc.  Any time we move
> beyond what a user can do personally to authenticate himself, to require
> computation, the line is blurred.  Hardware tokens are certainly a good way
> to personalize computatiionally intensive auth mechanisms, but they are not
> the only game in town.
>
> The primary differences seem to be that your primary goal is to find a way
> to make use of existing user auth mechanisms with IPsec, period.  My goal
> is to not degrade the minimum quality of security service offered by the
> use of IPsec.  Hopefully there may be a way to satosfy both goals, but I am
> not prepared to backoff on mine in the name of "market demands, legacy
> systems, etc."

So what you are saying is that every one that is not yet ready to use
certificates and want to use a method not vulnerable to dictionary attack is
not allowed to use IPSEC?

Moshe

Follow-Ups:

Re: Comments on "Hybrid Auth. mode for IKE"

From: Stephen Kent <kent@bbn.com>

References:

Re: Comments on "Hybrid Auth. mode for IKE"

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Next by Date: IPSec interop workshop Aug 31st - Sept 3 invitation
Next by thread: Re: an inbound SPD-check question
Index(es):
- Main
- Thread