[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ???????????????

To: ipsec@lists.tislabs.com
Subject: RE: ???????????????
From: Greg Carter <greg.carter@entrust.com>
Date: Wed, 9 Feb 2000 10:45:09 -0500
Sender: owner-ipsec@lists.tislabs.com

OK then reality check.

We issued certs to every vendor who asked, with out looking I think at least
15 to 20 vendors, with 3 or 4 different protocols, with off the shelf
products.  Vendors using our toolkits verified certs from other PKI vendors
as well.  Is that not interop? If a VPN vendor can't get a cert from each of
the PKI vendors at the bakeoff its because they are incompetent, nothing
more nothing less.  I think you would hear the same thing from the other PKI
vendors.  

Sure you didn't mention vendor names.  But hell you made broad sweeping
statements about two industries in general.  From what I can see mostly for
effect.  

As far as etiquette, well you published bakeoff results. There is no line to
cross, its binary.  If you would have come to those conclusions some other
way I wouldn't have posted this here.  You know people have been known to
bring code to bakeoffs that isn't exactly release candidate.  They don't
send every developer working on the product, ever think maybe the ones who
seemed a bit clueless left the developers who had a clue about certs were
back at the office?

I have been issuing certs to vendors since the second bakeoff in Boston in
early '97.  The only problem I have run into in the last year is
implementers expecting to use certs without reading a single spec.  Its the
same questions over and over, where do I put the ip address, how do I
generate a PKCS10 request, how do I send a cert in IKE, how do I get a CRL
and on and on, RTF specs.  

Then without reading the specs they talk to people like you and insist on
how hard its, well its not.  I didn't attempt to write an IKE engine without
reading ISAKMP, IKE, OAKLEY, and DOI.  Why do people think they can use
certs without reading X.509 and PKIX?  

Can a Cisco router not get a cert from every PKI vendor? can Checkpoint
firewall not get a cert from every PKI vendor? etc.. etc.., do the two not
inteorp? I can remember back to the Ottawa bakeoff where we issued certs to
a Cisco router using SCEP, issued certs to a Raptor Firewall using the
Entrust precursor to CMP and guess what?  They setup a tunnel, then we
revoked the routers cert and guess what?  The tunnel came down at the next
IKE exchange.  Unless there has been some huge incompetence at either of
those companies in the last 2.5 years my guess is that will still work today
with off the shelf products.

Greg Carter
Entrust Technologies - http://www.entrust.com

-----Original Message-----
From: Paul Hoffman [mailto:paul.hoffman@vpnc.org]
Sent: Wednesday, February 09, 2000 12:16 AM
To: ipsec@lists.tislabs.com
Subject: Re: ???????????????

At 08:20 PM 2/8/00 -0500, Greg Carter wrote:
>Paul I could easily spin each of your observations into something positive,
>point out the places where you are wrong, and drag this into a 1000 post
>thread.

Thanks for starting it this way. :-)

>   But instead I'll just ask, what were you thinking?

Of telling the readers who assume that their VPN box from vendor A will 
automatically be able to work with their CA software from vendor B that the 
truth is actually "it might work, it might not". People like to know these 
things, and they understand that they aren't going to hear it from 
individual vendors for obvious reasons.

>   I mean even if
>you really believe the VPN-PKI world is askew is this the best way for a
>consortium to encourage adoption of its technology?

Yes. It brings pressure on VPN vendors and CA vendors to work harder at 
interoperability in this very important area. It also shows where we have 
had success so far. If you can think of a better way to get VPN vendors and 
CAs to follow the standards better, by all means act on it. As we all saw 
at San Diego, the problems in the VPN-PKI area are widespread but by no 
means universal.

>   I know Entrust is not a
>member, so I guess I missed the meeting where you explained how bad press
>helps.

It's not bad press. No one is going to decide not to buy a VPN or a CA 
because of the article. They may shop harder or postpone until their 
preferred vendor adds needed interoperability; both those actions lead 
directly to happier customers.

Also, VPNC had a meeting on Tuesday night of the bakeoff which was open to 
all bakeoff companies, members and non-members alike. There were plenty of 
non-members there, many taking notes.

>Not to mention bakeoff etiquette.

Um, I don't see where I've even gotten close there. I mentioned no 
companies by name, not even hinting. No one reading the article could even 
start to determine which CAs or which VPN vendors did what, or will do what 
in the future. The numbers could easily have been done by polling just VPNC 
members or implementors on this list.

In short, no one is helped by hiding general industry lack of 
interoperability as long as there is something customers can do about it 
(like choosing carefully). It is always a good idea to be honest with 
customers about potential problems before they buy sets of products so that 
the customers get what works for them.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:

RE: ???????????????

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Next by Date: RE: ???????????????
Prev by thread: Re: DNSSEC and IPsec
Next by thread: RE: ???????????????
Index(es):
- Main
- Thread