Re: Use IPSEC as SSH replacement

[Stephen Kent <kent@bbn.com>]

Will,


>Well, that pretty much rules out X.509 certs.


What are you possibly referring to?

>I don't think what you want exists today, but the specs for IPSEC certainly
>support it.  The following would solve the issue were the following to exist:
>
>1] Use IKE with OpenPGP certs.  They don't constantly expire, don't cost
>money,
>and you can use whatever trust model you want with them (hierarchy, WOT,
>etc...)

X.509 certs have no intrinsic cost, expiration times are set by the CA, and
the structure of the PKI in which they exist is determined by the community
in which they are used.  Your comments here suggest that you are equating a
VeriSign model of a public PKI with what X.509 really allows and how it is
often used.


>One day if these worldwide CA-based pay-for-each-cert IPSEC X.509 PKI
>ramblings
>become accepted and popular, your IKE implementation could also support
>X.509 and
>be compatible with that too.  In the meantime, I agree that it would be
>nice to
>get IKE widely usable without the hurdles that seem to have been erected
>for it.

Yes, this paragraph strongly suggests that your model of X.509 certs is
unduly influenced by VeriSign and is not representative of the underlying
technology.

Steve

---

References:

• Re: Use IPSEC as SSH replacement
• From: Markku Savela <msa@anise.tte.vtt.fi>
• Re: Use IPSEC as SSH replacement
• From: Will Price <wprice@cyphers.net>

---

• Prev by Date: IKE signature payload
• Next by Date: Re: Use IPSEC as SSH replacement
• Prev by thread: Re: Use IPSEC as SSH replacement
• Next by thread: Re: Use IPSEC as SSH replacement
• Index(es):
  • Main
  • Thread