[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
"Due to restrictions in [IKE] regarding the use of Main Mode and
pre-shared keys this protocol MUST NOT be used with [IKE] when
doing Main Mode and pre-shared key authentication. Further, it MUST
NOT be used with any key exchange protocol in which the parties
to the exchange authenticate each other using a "group" pre-shared key
(i.e. one that is shared by more than the two parties to the exchange)."
Dan, I think this is too restrictive. What if I decide to use
main-mode/pre-shared for device level authentication, and XAUTH for
user-level authentication?
Also, the part about using a "group" pre-shared key is a policy decision, in
my view. If the user/manager is happy with the security policy protecting a
"group" pre-shared key, that should be his policy decision, not ours. It
may be worth some text in the 'Security Considerations', but I don't think
this should even be a "SHOULD" in the protocol itself.
Cheers, Steve.
Follow-Ups: