[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))

To: Stephen Kent <kent@bbn.com>
Subject: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Tue, 20 Jul 1999 09:36:44 +0100
Cc: ietf-pkix@imc.org, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


>>On a related point, since IKE XAUTH is typically one-way (server
>>authenticating client), secondary authentication does leave the problem of
>>the server being spoofed with a compromised key!

>I thought it was one way the other way, i.e., server is authenticated to
>client via a cert, but client uses only "legacy" auth to server.  If it
>were the other way around it would be awful, as it would open a variety of
>attacks against the legacy systems which could diminish their
>effectiveness.  For example, S/Key is very vulnerable to active server
>spoofing attacks.

I think there has been a proposal along those lines (asymmetric
authentication), but the XAUTH draft does not cover that (I don't think). A
normal symmetric Phase-1 authentication
(pre-shared,signature,encrypted-nonce) is followed by a one-way secondary
authentication via XAUTH.

Cheers, Steve.

Prev by Date: Re: linux-ipsec: VS: IP tunnel over a NAT (IP masq) possible ?
Next by Date: Re: your mail
Prev by thread: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
Next by thread: TCP checksum recalculation
Index(es):
- Main
- Thread