[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft




    "Due to restrictions in [IKE] regarding the use of Main Mode and 
    pre-shared keys this protocol MUST NOT be used with [IKE] when
    doing Main Mode and pre-shared key authentication. Further, it MUST
    NOT be used with any key exchange protocol in which the parties
    to the exchange authenticate each other using a "group" pre-shared key 
    (i.e. one that is shared by more than the two parties to the exchange)."

  
Dan,  I think this is too restrictive.  What if I decide to use
main-mode/pre-shared for device level authentication, and XAUTH for
user-level authentication?

Also, the part about using a "group" pre-shared key is a policy decision, in
my view.  If the user/manager is happy with the security policy protecting a
"group" pre-shared key, that should be his policy decision, not ours.  It
may be worth some text in the 'Security Considerations', but I don't think
this should even be a "SHOULD" in the protocol itself. 

Cheers, Steve.


Follow-Ups: