Re: New XAUTH draft

[Stephen Kent <kent@po1.bbn.com>]

Glen,

If I use a certificate in IKE that attests to my user name, not the name or
address of my computer, then I am doing user authentication.

You may have a point that IKE, given its existing complexity, is  an
unfortunate place to add other forms of user auth, but please don't say
that it does not provide user auth under the right (existing)
circumstances.

Also, because IPsec involves access control as a basic security service, if
the SPD entries take the form of user names, then it is preferable that IKE
be able to verify user identity, in order to support the access control
features of IPsec.  If another protocol is employed to veriy user identity,
then one creates a more complex interdependence between IPsec and the other
protocol, right?

Steve

---

Follow-Ups:

• Re: New XAUTH draft
• From: Pyda Srisuresh <suresh@livingston.com>
• Re: New XAUTH draft
• From: "Scott G. Kelly" <skelly@redcreek.com>
• Re: New XAUTH draft
• From: Glen Zorn <gwz@acm.org>

References:

• Re: New XAUTH draft
• From: "Scott G. Kelly" <skelly@redcreek.com>
• Re: New XAUTH draft
• From: Glen Zorn <gwz@acm.org>

---

• Prev by Date: new IKE draft
• Next by Date: Re: New XAUTH draft
• Prev by thread: Re: New XAUTH draft
• Next by thread: Re: New XAUTH draft
• Index(es):
  • Main
  • Thread