[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking

To: Hilarie Orman <HORMAN@volera.com>
Subject: Re: application layer cross checking
From: Rick Wessman <rwessman@oracle.com>
Date: Fri, 4 May 2001 06:40:37 -0700 (PDT)
cc: <mat@cisco.com>, <smb@research.att.com>, <ipsec@lists.tislabs.com>, <warlord@mit.edu>
In-Reply-To: <saf1756a.028@prv-mail20.provo.novell.com>
Reply-To: <Rick.Wessman@oracle.com>
Sender: owner-ipsec@lists.tislabs.com

I definitely agree. An API like this would allow applications like Oracle
to work much more easily over the Internet. Oracle already allows for the
use of authentication mechanisms other than username/password, so it
should be relatively easy for us to plug in an IPSEC API.

I use Oracle as an example not only because I work there. :-) I'm sure
that a lot of other applications could use such an API.

In addition, I think that a lot of users think that IPSEC already provides
such an API. We get questions all of the time from people who want to know
if we support IPSEC authentication.

                                          Rick

On Thu, 3 May 2001, Hilarie Orman wrote:

 > Date: Thu, 03 May 2001 15:12:35 -0600
 > From: Hilarie Orman <HORMAN@volera.com>
 > To: mat@cisco.com, smb@research.att.com
 > Cc: ipsec@lists.tislabs.com, warlord@mit.edu
 > Subject: Re: application layer cross checking
 >
 > This is not only a good idea, it's a very important idea in the infinitesimally
 > slow progress towards meaningful authentication and privacy for the
 > Internet.  If this API existed then it would be so much easier to do
 > a good job on inter-organizational access control for a wide range
 > of applications.
 >
 > Hilarie
 >
 >  >>> "Steven M. Bellovin" <smb@research.att.com> 05/03/01 02:05PM >>>
 > In message <15089.46873.137893.423692@thomasm-u1.cisco.com>, Michael Thomas wri
 > tes:
 >  >Derek Atkins writes:
 >  > > Because applications may not be ipsec peers...  Or, in most cases,
 >  > > ipsec will be host-based, not user-based?
 >  >
 >  >   What's the difference? Why shouldn't I be able to
 >  >   tell the socket layer which identity I want it
 >  >   to use for a particular 5-tuple, and the receiving
 >  >   end be able to verify that, including the application
 >  >   layer being able to cross check?
 >  >
 >  >   If you can't do that, it sure seems like transport
 >  >   mode is severely hamstrung. As in, why bother?
 >
 > Absolutely -- I've been asking for such an API for several years.
 >
 > More specifically, at a minimum I want a way for an application to find
 > out what security mechanisms are in effect for a given socket, and
 > whatever is known about the peer(s).  It's up to the application to
 > decide what permissions are associated with what identities, by
 > whatever means it chooses.  In that sense, it doesn't matter if it's a
 > "user" or a "host" -- the access control mechanisms need not
 > distinguish unless they wish to.
 >
 >
 > 		--Steve Bellovin, http://www.research.att.com/~smb
 >
 >
 >
 >
 >

References:

Re: application layer cross checking

From: "Hilarie Orman" <HORMAN@volera.com>

Prev by Date: Re: application layer cross checking
Next by Date: Re: application layer cross checking
Prev by thread: Re: application layer cross checking
Next by thread: Re: application layer cross checking
Index(es):
- Main
- Thread