[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reliable delete notifies

To: fd@cisco.com
Subject: Re: Reliable delete notifies
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Tue, 10 Oct 2000 09:20:31 -0400
Cc: Jan Vilhuber <vilhuber@cisco.com>, "Thomas Porter, Ph.D." <tporter@dtool.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 10 Oct 2000 10:35:11 +0200." <39E2D4BF.6BA1E7D7@cisco.com>
Sender: owner-ipsec@lists.tislabs.com


>. it is a matter of education. IKE is still too new to be understood.
>. PKI vendors need to come with something veeeeery simple (click click click, 
>no ldap, no tons of passwords, no tons of roles and everything).
>. Enrollment protocols are an extra complexity (for the challenged). it should
> always be possible to copy-paste the certs.

Fred, I think you're exactly right.

It's interesting that (two of) the free implementations (FreeS/WAN and OpenBSD)
are actually arguing for public key authentication exclusively. FreeS/ WAN uses
OpenSSL, OpenBSD uses both OpenSSL and KeyNote for certificates -- both do not
in fact require any type of infrastructure to use the certificates, and both
allow cut-and-paste. Unfortunately, it's still not simple to generate those
certs...

Having to interoperate with the commercial PKI vendors has always been a pain,
because they each have non-intuitive ways of importing or exporting certs
(some require LDAP or other brain-dead schemes).
-Angelos

References:

Re: Reliable delete notifies

From: Frederic Detienne <fd@cisco.com>

Prev by Date: FW: Negotiation for Ipsec SA
Next by Date: Re: Reliable delete notifies
Prev by thread: Re: Reliable delete notifies
Next by thread: Re: Reliable delete notifies
Index(es):
- Main
- Thread