[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: New XAUTH draft]



 

Dan Harkins wrote:
< trimmed >

>  
> The client is presumed to be coming from an unknown IP address so it's
> difficult to have multiple pre-shared keys on the gateway because he
> won't know which one to use. But even if you do find some way (aggressive
> mode using ID_KEYID with some blob there which says "use pre-shared key
> foo" for instance) you still have the burden of maintainance of the
> multiple pre-shared key sets and managing who goes into what set. That
> becomes very Rube Goldbergian and still does not overcome the fact that
> any member in a set can snoop traffic or inpersonate any other member of
> the set.
>
>   Dan.

On top of what Dan said, consider an employee who was just sacked.
You now need to modify the pre-shared key used by the set of users he used to
belong to.
You'll need to notify (in a secure manner) all members of the group and give
them the new group secret!