[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Requirements for IKEv2 implementations

To: ipsec@lists.tislabs.com
Subject: RE: Requirements for IKEv2 implementations
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Thu, 1 May 2003 14:05:37 -0700
In-Reply-To: <541402FFDC56DA499E7E13329ABFEA87E66CD7@SARATOGA.netscreen.com>
References: <541402FFDC56DA499E7E13329ABFEA87E66CD7@SARATOGA.netscreen.com>
Sender: owner-ipsec@lists.tislabs.com

At 4:20 PM -0700 4/29/03, Gregory Lebovitz wrote:
>MY WG and Security Area member perspective:
>Certificates are good security and we should try as much as we can to help
>implementations adopt them.

That's what SHOULD is for. The current text says MUST.

>  Any worthwhile IKEv1 implementation today can
>handle certs.

Sorry, but that is just plain wrong. There are many "worthwhile" 
implementations that don't do certs. There are plenty of "worthwhile" 
implementations that do certs wrong, such as doing things with certs 
that the IKEv1 specs say they SHOULD NOT do.

>Market observer perspective:
>PKI has been a royal pain for many interested in IPsec VPNs. Just ask the
>PKI vendors. They have abandoned the application as a focus for their
>development, marketing and sales. At an absolute minimum, PSS is a MUST.

Exactly right. But there is no reason for two MUSTs for authentication.

--Paul Hoffman, Director
--VPN Consortium

Prev by Date: Re: Requirements for IKEv2 implementations
Next by Date: Re: Crypto algorithms for IKEv2
Prev by thread: Re: Requirements for IKEv2 implementations
Next by thread: RE: Requirements for IKEv2 implementations
Index(es):
- Date
- Thread