[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft




>Glen,
>
>If I use a certificate in IKE that attests to my user name, not the name or
>address of my computer, then I am doing user authentication.
>

Steve,

I think Glen's point was simply that most implementations, that I know of,
have the certificate on the host. The day where smart cads that contain
the user's cert becomes ubiquitous, this will not be a problem.

>
>Also, because IPsec involves access control as a basic security service, if
>the SPD entries take the form of user names, then it is preferable that IKE
>be able to verify user identity, in order to support the access control
>features of IPsec.  If another protocol is employed to veriy user identity,
>then one creates a more complex interdependence between IPsec and the other
>protocol, right?

Of course, if an additional protocol is used on the back-end of the security
gateway to authenticate and authorize the user, there is an inter-dependency.
However, a customer may wish to do this in order to be able to centralize
user configuration, which would help scale a large deployment.

PatC



Follow-Ups: