[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reliable delete notifies
I can answer that (I am not marketting but I work at a call center and I face questions every day. I also realized the deep misunderstanding during conferences I presented).
First, people do not understand IPSec and even less IKE. When you find someone who knows the basics, he generally does not understand how the keys are used. Worse, in the mind of people, the IKE keys are used to encrypt the traffic (sic.). They also believe pre-shared keys are worse than certs or RSA because the pre-shared key is _shorter_ (and no other reason).
They do not want RSA or PKI for simple reasons:
. it is easier to type a pre-shared key that looks like a password. They feel more under control. Transfering large public keys is simply hassle and they feel insecure.
. public key algorithms blow their mind. They do not see how the RSA keys are related to 3des and so on (sic. again). Or they do not understand why they need the CA cert and the device cert and things like that.
. People believe they have to leave the CA on all the time in all the case (they see it working like DNS sec). They are also afraid the certs are made public (oh yes).
. PKI are bloody expensive and softwares are awfully complex. There is no simple CA to put to work. It always has to be a fully bloated software with tons of components (namely LDAP) people barely understand. I have only seen a single CA easy to set up but the documentation was very poor (unfortunately). The enrollement protocols are very hard to understand (because they alreayd missed the previous step) and CRL's are even worse.
In short:
. it is a matter of education. IKE is still too new to be understood.
. PKI vendors need to come with something veeeeery simple (click click click, no ldap, no tons of passwords, no tons of roles and everything).
. Enrollment protocols are an extra complexity (for the challenged). it should always be possible to copy-paste the certs.
frederic detienne
--
------------------------- * oOo * -------------------------
Frederic Detienne
Cisco Systems Escalation Engineer
Security & Network Services
Tel 32 2 704 55 55
Jan Vilhuber wrote:
>
> I can't, of course, say for sure, since I'm not in marketing, but:
>
> I don't know if it's a problem of inadequate marketing, or with customers,
> but customers don't seem to WANT any sort of Public keys. Whether it's
> equivalent to pre-shared keys (in scaling) or not is apparently not the
> issue (or maybe they aren't being educated by those who know, i.e. sales and
> marketing). I agree that using public keys and distributing them in the same
> way as pre-shared keys (except for the fact that pre-shared keys can be
> typed, whereas public-keys are not easily typed by hand) scales in the same
> way (i.e. doesn't ;), but there's still the fact that customers seem to WANT
> pre-shared keys.
>
> Maybe simply getting rid of pre-shared key authentication will help customer
> perception here...
>
> jan
>
> On Mon, 9 Oct 2000, Angelos D. Keromytis wrote:
>
> >
> > In message <200010091255.IAA16481@granger.mail.mindspring.net>, "Thomas Porter,
> > Ph.D." writes:
> > >
> > >I'm not sure that it matters much here, but we need IPSec solutions, and
> > >are using
> > >them now. Without the ability to use preshared keys, we would not have
> > >been able
> > >to hack out the solutions we currently have in a production environment..
> >
> > "hack" and "production environment" are very incompatible terms.
> >
> > There's no reason why you can't use public keys and certificates; they
> > have a higher initial setup overhead, but that more than pays off over
> > time in management ease.
> > -Angelos
> >
> >
>
> --
> Jan Vilhuber vilhuber@cisco.com
> Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: