[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: charter question re IKE changes

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: charter question re IKE changes
From: Derek Atkins <warlord@mit.edu>
Date: 13 Oct 2000 11:19:06 -0400
Cc: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org
In-Reply-To: Paul Hoffman / VPNC's message of "Fri, 13 Oct 2000 07:35:20 -0700"
References: <10C8636AE359D4119118009027AE9987031A8EB0@FMSMSX34> <v04220801b60ac3a35ba4@[128.33.238.81]> <p05010304b60addb93807@[165.227.249.17]> <v04220800b60b9b109f10@[128.33.238.45]> <p05010316b60cccf6e2ac@[165.227.249.17]>
Sender: owner-ipsec@lists.tislabs.com

FWIW, I have been working on a Web-based CA that allows a user to
obtain a certificate based upon an existing username/password.  It's
currently setup for web-client certificates (netscape/msie/lynx) but
it could be extended to others as well.

As Steve said, it's not difficult to create such a beast.  However
Paul is right in that nobody has, as of yet, delivered one.

FWIW, at MIT I've setup an IPSec-based tunnel server that uses
HTTPS+Certificates for secure administration.  A user generates their
RSA key and then submits it via SSL for entry into the IPSec database.
They have to use their certs obtained as above.  There ya go!
Automated "password" sharing of RSA keys based upon existing
username/password entries :)

-derek

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:

> At 12:51 PM -0400 10/12/00, Stephen Kent wrote:
> >Given this perspective, remind me again why knowledgeable folks 
> >prefer passwords, IF we provide them with good software for the 
> >initial certificate issuance process, working from an existing 
> >password database :-)
> 
> Because we don't. I agree with your perspectives about how it *could* 
> work, but that's not what is being delivered. Today's users make 
> choices based on what is available to them today.
> 
> I also think the market disagrees with you about smart cards. Smart 
> cards are only useful where there are smart card readers. They become 
> an obstacle where there are no readers.
> 
> Again, I fully support the use of certs and wish that more users 
> agreed with me. But they don't, and designing a protocol around a 
> wish that has had plenty of time to come true but hasn't is a good 
> way to design yet another protocol that won't get implemented.
> 
> --Paul Hoffman, Director
> --VPN Consortium

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: charter question re IKE changes

From: "Walker, Jesse" <jesse.walker@intel.com>

RE: charter question re IKE changes

From: Stephen Kent <kent@bbn.com>

RE: charter question re IKE changes

From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

RE: charter question re IKE changes

From: Stephen Kent <kent@bbn.com>

RE: charter question re IKE changes

From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: RE: charter question re IKE changes
Next by Date: RE: charter question re IKE changes
Prev by thread: RE: charter question re IKE changes
Next by thread: RE: charter question re IKE changes
Index(es):
- Main
- Thread