[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comment on xauth and hybrid

To: Tamir Zegman <zegman@checkpoint.com>
Subject: Re: Comment on xauth and hybrid
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Tue, 20 Jul 1999 11:55:50 -0700
CC: Dennis Glatting <dennis.glatting@software-munitions.com>, ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org
Organization: RedCreek Communications
References: <Pine.BSF.4.10.9907132248520.62678-100000@btw.plaintalk.bellevue.wa.us> <378D9F5B.C3FA1495@checkpoint.com>
Sender: owner-ipsec@lists.tislabs.com

Tamir Zegman wrote:
> 
> Dennis Glatting wrote:
> 
<trimmed...>
> > The PKI reality is there isn't one, so shared secrets, I expect, will
> > be the IPsec authentication mechanism of choice until products mature
> > and prices decline. The difference between simple shared secrets and
> > xauth/hybrid is xauth/hybrid extends existing, seemingly easy to
> > manage, managed shared secret technologies yielding, in my opinion, no
> > motivation to improve the security of infrastructures (i.e.,
> > transition to PKI). Is this where we want to be after several years of
> > work and some cantankerous meetings?
> >
> 
> There is another side for this coin.
> We have many customers that are deferring their migration to IPSec because
> they feel they are not ready to deploy a full scale PKI.
> Xauth/Hybrid makes the move to IPSec easier and allows gradual deployment
> of PKI.
> Sometimes it's easier to jump over two small hurdles rather than over a
> big one.

I agree with Tamir on this point, but think that if we are indeed
viewing this (xauth, hybrid) as an intermediate step, then we should
make this exceedingly clear, and the transition path should be clearly
stated ("clearly" being a relative term at this point in the game).

<more trimmed...>

> >
> > I offer the following suggestions. First, finish a combined
> > xauth/hybrid draft and classify it as experimental. Second, the
> > Security Considerations section of the draft be written not by the
> > draft's proponents but by at least two of its detractors. Finally, set
> > a deadline (perhaps three years) where the PS is committed to
> > historic.
> 
> I'll accept your offer with regard to the Security Consideration section.
> Any volunteers?
> I do not believe that the experimental is the right track for this.

I'd be willing to contribute to the security considerations text.

I'm not sure if the experimental track is right or not, though I do
think that somehow limiting the lifetime of password-based approaches
has a certain appeal. We must grease the skids for PKI deployment, and
not simply provide an excuse for maintaining the status quo, but this is
a complex issue. That is why I think we need a working group to iron it
out.

Scott

Follow-Ups:

Re: Comment on xauth and hybrid

From: Tamir Zegman <zegman@checkpoint.com>

References:

Comment on xauth and hybrid

From: Dennis Glatting <dennis.glatting@software-munitions.com>

Re: Comment on xauth and hybrid

From: Tamir Zegman <zegman@checkpoint.com>

Prev by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication (was ASN.1 vs XML which in turn was something else)
Next by Date: Re: TCP checksum recalculation
Prev by thread: Re: Comment on xauth and hybrid
Next by thread: Re: Comment on xauth and hybrid
Index(es):
- Main
- Thread