[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Requirements for IKEv2 implementations

To: "'Paul Hoffman / VPNC'" <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
Subject: RE: Requirements for IKEv2 implementations
From: "Zimmerman, Mark" <mzimmerman@icsalabs.com>
Date: Thu, 1 May 2003 21:07:43 -0400
Sender: owner-ipsec@lists.tislabs.com

-----Original Message-----
From: Paul Hoffman / VPNC [mailto:paul.hoffman@vpnc.org] 
Sent: Thursday, May 01, 2003 5:06 PM
To: ipsec@lists.tislabs.com
Subject: RE: Requirements for IKEv2 implementations

At 4:20 PM -0700 4/29/03, Gregory Lebovitz wrote:
>MY WG and Security Area member perspective:
>Certificates are good security and we should try as much as we can to help
>implementations adopt them.

>That's what SHOULD is for. The current text says MUST.

>  Any worthwhile IKEv1 implementation today can
>handle certs.

>Sorry, but that is just plain wrong. There are many "worthwhile" 
>implementations that don't do certs. There are plenty of "worthwhile" 
>implementations that do certs wrong, such as doing things with certs 
>that the IKEv1 specs say they SHOULD NOT do.

Agreed, and as with anything it also depends on how the solution is being
implemented. ICSA Labs has 47 tested IKEv1 products using PSK that have been
certified as interoperable. None of which I would call "not" worthwhile.

As the alternative, for those that have implemented PKI, 11 products have
been tested and certified within our 1.1 Criteria program which mandates
Certificate authentication all which have been tested and certified as being
interoperable with each other. It all depends on what the customer needs,
but making PKI a MUST at this point is jumping the gun. SHOULD is
appropriate.

>>Market observer perspective:
>>PKI has been a royal pain for many interested in IPsec VPNs. Just ask the
>>PKI vendors. They have abandoned the application as a focus for their
>>development, marketing and sales. At an absolute minimum, PSS is a MUST.

>Exactly right. But there is no reason for two MUSTs for authentication.

Again, Agreed,I feel like a red headed step-child when trying to resolve
issues with PKI vendors or even getting support on our own test bench CA's

Mark Zimmerman
IPSec Technology Program Manager
ICSA Labs

>--Paul Hoffman, Director
>--VPN Consortium

***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************

Prev by Date: Re: Requirements for IKEv2 implementations
Next by Date: Re: ISAKMP and SSL
Prev by thread: RE: Requirements for IKEv2 implementations
Next by thread: Re: Requirements for IKEv2 implementations
Index(es):
- Date
- Thread