[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SSL v IPSEC for management?

To: Steven Lee <slee@cygnacom.com>, "'marcvh@aventail.com'" <marcvh@aventail.com>
Subject: RE: SSL v IPSEC for management?
From: Paul Kierstead <pkierstead@TimeStep.com>
Date: Tue, 26 Jan 1999 11:19:28 -0500
Cc: "'Waters Stephen'" <stephen.Waters@cabletron.com>, "Ipsec (E-mail)" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

You can install additional certificates into your browser and treat them as
trusted. Naturally, these should be retrieved in a secure manner (usually
some out-of-band mechanism). This problem is no different then using certs
with IPSec. You always require a trusted 'root' certificate.

Paul Kierstead
TimeStep Corporation
mailto:pmkierst@timestep.com		http:\\www.timestep.com


> -----Original Message-----
> From: Steven Lee [mailto:slee@cygnacom.com]
> Sent: Tuesday, January 26, 1999 10:48 AM
> To: 'marcvh@aventail.com'; Steven Lee
> Cc: 'Waters Stephen'; Ipsec (E-mail)
> Subject: RE: SSL v IPSEC for management? 
> 
> 
> If the server certificate is not signed by one of the root CA 
> installed
> in your browser, then you cannot authenticate.  Marc, are you assuming
> that the certificate is issued by one of the root CA? 
> 
> 
> 
> > -----Original Message-----
> > From:	marcvh@aventail.com [SMTP:marcvh@aventail.com]
> > Sent:	Tuesday, January 26, 1999 10:32 AM
> > To:	Steven Lee
> > Cc:	'Waters Stephen'; Ipsec (E-mail)
> > Subject:	Re: SSL v IPSEC for management? 
> > 
> > Steven Lee said:
> > > There are some trade-offs in using the SSL; however, one 
> of the top
> > > issue would be that a client cannot authenticate the server.
> > Therfore,
> > > a server could someone pretending to be a trusted party 
> and there is
> > no
> > > way for the client to authenticate this information.
> > 
> > What?  That's not true at all; it's just as possible for an 
> SSL client
> > to
> > verify the server's certificate information as it is for a client of
> > any
> > other public-key based security protocol.  Regarding the other
> > discussion,
> > in SSL (and HTTPS, which is HTTP inside SSL/TLS) 
> authentication of the
> > client
> > to the server is generally available as an optional service, while
> > authentication of the server to the client is generally mandatory.
> > 
> > Re the original poster, no, SSL is not known to be vulnerable to
> > replay
> > attacks.  Which one is more suited to your purpose is hard 
> to say from
> > the information you give; SSL is at a higher level, can easily be
> > entirely
> > contained within an application instead of requiring network stack
> > issues,
> > can't protect UDP data, may be more vulnerable to denial-of-service
> > attacks,
> > is probably more vulnerable to traffic analysis, etc. relative to
> > IPSEC.
> > You'll have to decide which of these things are important to you.
> > 
> > I don't understand how SSL per se is vunlerable to things like relay
> > attacks or address-spoofing attacks, although a poorly designed
> > application
> > that used SSL could have such weaknesses.
> > 
> > - Marc
> > 
> > -- 
> > Marc VanHeyningen                 marcvh@aventail.com
> > Internet Security Architect
> > Aventail                          http://www.aventail.com/
> > 
> > 
>

Prev by Date: Re: SSL v IPSEC for management?
Next by Date: Legal claims on encryption and authentication algorithm
Prev by thread: Re: SSL v IPSEC for management?
Next by thread: Re: SSL v IPSEC for management?
Index(es):
- Main
- Thread