[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: charter question re IKE changes
Jesse,
SSL was designed to address a fundamentally different set of
communication security requirements, for a client/server model so it
is not unreasonable that they made a different decision. However, the
result is that most users are burdened with the need to remember and
provide passwords for each public web site they log into via SSL, and
if these passwords are poorly chosen, the use of encryption does not
make it harder for an attacker to guess them and masquerade.
IPsec set higher standards for its peer-oriented authentication (not
client server). the push back we see wrt PKI use in dialup
environments is a result of many factors, some of which have been
discussed recently on this list. certainly we know how to generate
and distribte certs to users who already have entries in a Radius
database. but, what products can we buy that allow us to do this?
so, my view is that the IPsec insistence for high quality, 2-way
authentication is appropriate, but that implementations have not yet
provided good enough PKI support to make it easy for folks to
"embrace" the technology.
Steve
Follow-Ups:
References: