[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please save the pre-shared key mode



Howdy,

	I'm moving my position from 'in favor' to 'neutral' on saving a
pre-shared key authentication mode. Its not PSK itself or even current
look alike PSK functionality I'd like to see saved. There is a new
feature I want to see added and that is interaction with legacy
authentication systems in support of remote access users ala
draft-ietf-ipsra-reqmts-04.txt. Whether we use a PSK authentication mode
(which seemed an obvious fit to me) or a PK authentication mode (I'm
willing to learn how if anyone suggests a way) is beside the point to
me.

	All arguments about saving PSK because PSK is easier to test are bogus
even if true. Having a test mode and an operational mode is dumb.

	All arguments that PSK is more or less secure than PK seem to have come
out in a tie in my best estimation. Both depend upon secure practices.

	All arguments that PSK is not scalable enough seem to have fallen a
little flat in the face of operational experience with very large scale
PSK based authentication systems. Even if we do all think that PK could
scale further, PSK seems to be good enough at scaling to have won a
larger piece of the authentication world pie than PK.

	All arguments that a PK auth system can serve all the current
capabilities of a PSK system miss the point of the request that we
actually *add* new functionality to support remote access users.

	All arguments about wanting to simplify our key-exchange authentication
system to just one mode seem great on the face of it. But we might have
an opportunity to add functionality (remote access support) into the
main branch of our key exchange system here. If so, the added
functionality would justify an extra mode... if needed. 

	The biggest question in my mind is if we have the will to add remote
access support since we are now modifying IKE. 

-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." Benjamin Franklin

  Ricky Charlet   : SonicWall Inc.   : usa (510) 497-2103


Follow-Ups: References: