RE: charter question re IKE changes

[Stephen Kent <kent@bbn.com>]

Jesse,

SSL was designed to address a fundamentally different set of 
communication security requirements, for a client/server model so it 
is not unreasonable that they made a different decision. However, the 
result is that most users are burdened with the need to remember and 
provide passwords for each public web site they log into via SSL, and 
if these passwords are poorly chosen, the use of encryption does not 
make it harder for an attacker to guess them and masquerade.

IPsec set higher standards for its peer-oriented authentication (not 
client server). the push back we see wrt PKI use in dialup 
environments is a result of many factors, some of which have been 
discussed recently on this list. certainly we know how to generate 
and distribte certs to users who already have entries in a Radius 
database.  but, what products can we buy that allow us to do this? 
so, my view is that the IPsec insistence for high quality, 2-way 
authentication is appropriate, but that implementations have not yet 
provided good enough PKI support to make it easy for folks to 
"embrace" the technology.

Steve

---

Follow-Ups:

• RE: charter question re IKE changes
• From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:

• RE: charter question re IKE changes
• From: "Walker, Jesse" <jesse.walker@intel.com>

---

• Prev by Date: Re: Help - IPSEC beginner
• Next by Date: RE: charter question re IKE changes
• Prev by thread: RE: charter question re IKE changes
• Next by thread: RE: charter question re IKE changes
• Index(es):
  • Main
  • Thread