[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft



Hi Steve,

I sent a reply to Stephane's post in which I referred to this post, but
after re-reading this, I think I misrepresented/misunderstood what was
being said. Additional comments below:

Stephen Kent wrote:

<trimmed...>

> Also, because IPsec involves access control as a basic security service, if
> the SPD entries take the form of user names, then it is preferable that IKE
> be able to verify user identity, in order to support the access control
> features of IPsec.  If another protocol is employed to veriy user identity,
> then one creates a more complex interdependence between IPsec and the other
> protocol, right?

I think you're making a case for not using "legacy" protocols at all,
and for using some other (secondary?) authentication mechanism - is that
right?

Scott


References: