[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: exchange type 6?



  Wow, I'm having flashbacks of the 40bit DES arguments. You can provide 
your customers with a proprietary protocol to satisfy their desires. You
don't need to take valid exchange types from a standard's track protocol 
to do it though.

  One of the happy byproducts of this working group is that lots of
money is being made selling products based on these protocols but let's
not put the cart in front of the horse. We are here to develop and 
standardize secure protocols not to make life easier for companies that
chose time-to-market over security.

  Dan.

On Thu, 22 Feb 2001 18:20:14 +0200 you wrote
> I think this statement "it's our charter to provide secure protocols and 
> standardizing anything less is unacceptable to some of us" is exactly
> THE PROBLEM.
> 
> Note that you didn't say that it's anywhere in this working group's charter
> to enhance the security of the actual products out there. If this was the
> case, this working group would stop actively demanding changes in the
> way actual products in the field are working. Every change in the protocol
> potentially introduces more vulnerabilities in the implementations, many
> of which need to support several different versions of the protocol. Actual
> implementations, and most notably something that customers have spent a whole
> lot of money in, change slowly.
> 
> I couldn't care less if there's been discussion that exchange type 6 is
> not to be used, or whether any document says exchange type 6 is not to be
> used, or any WG chair or security advisor or whatever. Our customers need
> to interoperate with others who have products using exchange type 6. It's
> as simple as that.
> 
> I can understand that some of you don't like these protocols. As a matter
> of fact, I don't like these protocols either. Just please stop making our
> life any more harder than it already is. 
> 
> Ari
> 
> Derrell Piper wrote:
> > 
> > Will,
> > 
> > I just don't agree with allocating a reserved number to Config/XAUTH.
> > XAUTH was not adopted because it has serious security problems.  We did
> > think about this.  The problem is that there's been essentially no progress
> > on adopting a viable alternative (e.g. CRACK or Hybrid) so people continue
> > to use what they've got.  However, it's our charter to provide secure
> > protocols and standardizing anything less is unacceptable to some of us.
> > 
> > Derrell
> 
> -- 
> Ari Huttunen                   phone: +358 9 2520 0700
> Software Architect             fax  : +358 9 2520 5001
> 
> F-Secure Corporation       http://www.F-Secure.com 
> 
> F-Secure products: Integrated Solutions for Enterprise Security


Follow-Ups: References: