[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
On Tue, 18 Jun 2002, Theodore Ts'o wrote:
> Again, IPSEC working group --- please discuss:
>
> 2.3.A.) Does SOI need to natively support "legacy authentication
> systems"?
Absolutely yes... for the same reasons everyone has stated.
> 2.3.B.) Does SOI need to natively support some kind of "shared
> secret" scheme?
Yes... again for stated reasons. I just want to add the following...
Many customers have deployed with pre-shared key authentication ... will
these customers roll to IKEv2 if this authentication is not supported?
What is their migration path?
If pre-shared key authentication is not supported, is this WG going to
define a minimal set of how PKI is to be used with VPNs? How keys/certs
are generated and distributed (and the various formats for keys/certs) must
be considered. If certs are used, a standard profile must be developed for
IPSEC and all vendors MUST support it. Issues regarding which identities
are used during the exchange and whether or not certs are passed in-line
must also be addressed. Bottom-line: PKI is complicated, even if you
are trying to only implement a subset of the functionality. IMO, this is
one of the reasons pre-shared keys have such a wide deployment.
Just my $.02.
=====================================================================
= Tylor Allison Secure Computing Corporation =========
=====================================================================