[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: ipsec@lists.tislabs.com
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: Gary Grebus USG <grebus@fddimax.zk3.dec.com>
Date: Thu, 20 Jun 2002 18:29:19 -0400
In-reply-to: Your message of "Tue, 18 Jun 2002 20:14:49 EDT." <E17KT7Z-0001L8-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

> 
> 2.3.A.)  Does SOI need to natively support "legacy authentication
> systems"?

As a requirement, absolutely not.

The question is what is the appropriate key exchange protocol to support the 
security that should be present in every IP stack on every device that 
support IP.  Implementations that need to support external authentication 
protocols should do so a modular, external protocol. 

> 
> 2.3.B.)  Does SOI need to natively support some kind of "shared
> secret" scheme?  (Or just certificates-only?)
> 

While I don't see anything wrong with shared secrets for authentication,
requiring support for public-key based authentication seems like an
acceptable compromise between requiring shared secrets and requiring full certificates
(even self-signed).

The requirement to replace pre-shared secrets used with IKEv1 with simply generated 
public-keys for IKEv2 doesn't seem like a major hurdle in an upgrade path.

-- 
Gary Grebus			
Hewlett-Packard Company		
Tru64 UNIX Base OS Networking
Gary.Grebus@hp.com

References:
- SOI QUESTIONS: 2.3 Authentication styles
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Next by Date: Re: SOI QUESTIONS: 2.6 Formal proofs of security
Prev by thread: RE: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: RE: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread