[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: charter question re IKE changes
At 9:31 PM -0400 10/11/00, Stephen Kent wrote:
>certainly we know how to generate and distribte certs to users who
>already have entries in a Radius database.
Of course, if that was all we needed to do, our lives would be
simpler and freer from suffering. However, it isn't. Implementations
of PKI in the user environment have found that distributing the
private keys associated with the public keys in the certs, and doing
so in such a way that the user can use the certificate easily and
flexibly, is the difficult problem. Note that "distributing" is even
difficult when the private-public pair is generated on the user's own
device because the private key has to be secured and yet be made
available through applications that would need the user to sign
things. We know the technology for doing this, but we have so far
implemented it in very klunky fashions. Passwords that can be
memorized by a user seem a lot more attractive to people who don't
understand how utterly insecure they are (and even to some people who
do).
--Paul Hoffman, Director
--VPN Consortium
Follow-Ups:
References: