[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS

To: Michael Thomas <mat@cisco.com>
Subject: Re: SOI: identity protection and DOS
From: Henry Spencer <henry@spsystems.net>
Date: Wed, 21 Nov 2001 23:57:47 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <15356.6437.208148.92112@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 21 Nov 2001, Michael Thomas wrote:
>    ...considering that you can't tell a priori
>    who's demanding your credentials (cf Radia's
>    post), it seems pretty risky to give out
>    private data to an unauthenticated party.

Yes.  But you may wish to accept that risk, for the sake of authentication
using inconveniently-organized credentials.  If both ends are using such
credentials, *somebody* has to take that risk by speaking first.  Using
such credentials may be a poor choice, but as earlier noted, it's already
being done, so the issue cannot be ignored. 

The point is, willingness to take that risk does *not* imply willingness
to take the much greater risk of exposing that data to passive snoopers.
An impersonation or man-in-the-middle attack is distinctly harder to do
than mere packet monitoring, so it is not ridiculous to desire protection
against the latter while not worrying too much about the former.

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

Re: SOI: identity protection and DOS

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: SOI: identity protection and DOS
Next by Date: Re: SOI: identity protection and DOS
Prev by thread: Re: SOI: identity protection and DOS
Next by thread: Re: SOI: identity protection and DOS
Index(es):
- Main
- Thread