Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)

[Tylor Allison <allison@securecomputing.com>]

On Tue, 18 Jun 2002, Theodore Ts'o wrote:

> Again, IPSEC working group --- please discuss:
>
> 2.3.A.)  Does SOI need to natively support "legacy authentication
> systems"?

Absolutely yes... for the same reasons everyone has stated.

> 2.3.B.)  Does SOI need to natively support some kind of "shared
> secret" scheme?

Yes... again for stated reasons.  I just want to add the following...

Many customers have deployed with pre-shared key authentication ... will
these customers roll to IKEv2 if this authentication is not supported?
What is their migration path?

If pre-shared key authentication is not supported, is this WG going to
define a minimal set of how PKI is to be used with VPNs?  How keys/certs
are generated and distributed (and the various formats for keys/certs) must
be considered.  If certs are used, a standard profile must be developed for
IPSEC and all vendors MUST support it.  Issues regarding which identities
are used during the exchange and whether or not certs are passed in-line
must also be addressed.  Bottom-line: PKI is complicated, even if you
are trying to only implement a subset of the functionality.  IMO, this is
one of the reasons pre-shared keys have such a wide deployment.

Just my $.02.

=====================================================================
= Tylor Allison         Secure Computing Corporation        =========
=====================================================================