[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
OTOH, a protocol like OCSP will allow you to use certificates without
downloading enormous CRL's. In any case, the draft is describing RADIUS in
addition to certificates, not as a replacement.
Paul Kierstead
TimeStep Corporation
mailto:pmkierst@timestep.com http:\\www.timestep.com
> -----Original Message-----
> From: Bronislav Kavsan [mailto:bkavsan@ire-ma.com]
> Sent: Friday, May 21, 1999 7:35 AM
> To: Greg Carter
> Cc: 'ipsec@lists.tislabs.com'
> Subject: Re: New XAUTH draft
>
>
> Greg,
>
> Example: Mobile Corp. decides to layof f 10,000 workers who
> have certificates
> with expiration date 1 year from now.
> In this scenario - Mobile CA will push 10,000-entries CRL
> files to all IPSec
> devices for a year - I hope these devices have enough memory
> and bandwith to
> receve these files !!
>
> RADIUS on the other hand - simply removes these entries from
> the database - and
> they all revoked.
>
> Greg Carter wrote:
>
> > How is that?
> >
> > If you configure your box to check CRLs at each auth AND your CA is
> > intelligent enough to push new CRLs each time a cert is
> revoked I don't see
> > how the "revocation" would be slower than a RADIUS auth,
> and I know it is
> > more secure
> >
> > Bye.
> >
> > > ----------
> > > From: Bronislav Kavsan[SMTP:bkavsan@ire-ma.com]
> > > Sent: Thursday, May 20, 1999 6:27 PM
> > > To: ipsec@lists.tislabs.com
> > > Subject: Re: New XAUTH draft
> > >
> > > One interesting benefit of XAUTH (or rather so-called legacy
> > > authentication
> > > schemes) is that you can revoke user from the RADIUS database very
> > > quickland
> > > reliably - for sure much faster and simpler than dealing
> with CRLs in it's
> > > current state of PKI.
> > >
> > > Slava Kavsan
> > > IRE
> > >
> > >
>
>
>
>