[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: ipsec@lists.tislabs.com
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: Jean-Jacques Puig <jean-jacques.puig@int-evry.fr>
Date: Thu, 20 Jun 2002 12:02:31 +0200 (MET DST)
In-Reply-To: <E17KT7Z-0001L8-00@think.thunk.org>
Organization: =?UTF-8?B?RA==?=
References: <E17KT7Z-0001L8-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com


> Again, IPSEC working group --- please discuss:
> 
> 2.3.A.)  Does SOI need to natively support "legacy authentication
> systems"?

YES. If SOI does not provide native support for this, we can expect some *ugly* solution to come out for it. Thus, a genuine standard is desirable (and it seems PIC will not do). Note that legacy auth may help to support a kind of 'null/public authentication', like ftp's ("anonymous", "root@127.0.0.1" ;-) login. Still there is the question of the how; should we consider some kind of EAP tunnel in SOI ?
 
> 2.3.B.)  Does SOI need to natively support some kind of "shared
> secret" scheme?  (Or just certificates-only?)

NO. I understand it as ``Does SOI need to natively support some kind of "administrative laziness" scheme ? (Or just minded admistration only ?)'' ...'hope this does not sound like a flame. What is the value added by shared secret that certificates cannot provide ? Use of certificates is realistic even in light scenarios, without a *huge* PKI infrastructure behind, and it helps to foresee growth in the deployment. Such a feature (shared secret) must not be "needed" (but "may" be supported).

--
Jean-Jacques Puig

References:
- SOI QUESTIONS: 2.3 Authentication styles
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Next by Date: Re: SOI QUESTIONS: 2.1 Identity protection questions?
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread