[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: exchange type 6?
I think this statement "it's our charter to provide secure protocols and
standardizing anything less is unacceptable to some of us" is exactly
THE PROBLEM.
Note that you didn't say that it's anywhere in this working group's charter
to enhance the security of the actual products out there. If this was the
case, this working group would stop actively demanding changes in the
way actual products in the field are working. Every change in the protocol
potentially introduces more vulnerabilities in the implementations, many
of which need to support several different versions of the protocol. Actual
implementations, and most notably something that customers have spent a whole
lot of money in, change slowly.
I couldn't care less if there's been discussion that exchange type 6 is
not to be used, or whether any document says exchange type 6 is not to be
used, or any WG chair or security advisor or whatever. Our customers need
to interoperate with others who have products using exchange type 6. It's
as simple as that.
I can understand that some of you don't like these protocols. As a matter
of fact, I don't like these protocols either. Just please stop making our
life any more harder than it already is.
Ari
Derrell Piper wrote:
>
> Will,
>
> I just don't agree with allocating a reserved number to Config/XAUTH.
> XAUTH was not adopted because it has serious security problems. We did
> think about this. The problem is that there's been essentially no progress
> on adopting a viable alternative (e.g. CRACK or Hybrid) so people continue
> to use what they've got. However, it's our charter to provide secure
> protocols and standardizing anything less is unacceptable to some of us.
>
> Derrell
--
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F-Secure products: Integrated Solutions for Enterprise Security
Follow-Ups:
References: