[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)



  Paul,

  I'm sorry. You're absolutely right. I was talking about ICSA. VPNC
does not have this business model nor do they insist on vendors to
change their implementation to do things that are clearly not in the
RFC and are of questionable security (i.e. ignoring the lifetime in
one's configured policy). Sorry for any misunderstanding. 

  I would say a VPNC certification means much more than an ICSA one.
More testing of more features my more competent testers.

  Dan, who does not speak for his employer but from experience.

On Wed, 04 Apr 2001 16:07:15 PDT you wrote
> At 12:59 PM -0700 4/4/01, Dan Harkins wrote:
> >   My experience with IPsec compliance organizations is that they do not
> >test full compliance with the RFCs. They test a small subset and then
> >incrementally add things to justify the pound (ton actually) of flesh
> >they take each year for vendors to remain "compliant".
> 
> Sorry, I can't let that one go as universally true. Some 
> organizations work on that model, others don't. VPNC is one that 
> doesn't (either on the "ton" part or on the "each year" part). See 
> the first section at <http://www.vpnc.org/conformance.html> for more 
> details.
> 
> --Paul Hoffman, Director
> --VPN Consortium


References: