[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues

To: ipsec@lists.tislabs.com
Subject: Re: The remaining IKEv2 issues
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 19 Aug 2003 10:58:08 -0400
In-reply-to: Your message of "Mon, 18 Aug 2003 23:23:06 EDT." <20030819032306.GA1306@think>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Theodore" == Theodore Ts'o <tytso@mit.edu> writes:
    Theodore> OK, so, how do we resolve this?

    Theodore> On the other hand, in order to be realistic, we should at least
    Theodore> take a moment to recognize that there is going to be a very
    Theodore> strong market demand for this support, given the assumption by
    Theodore> many corporations that everything behind the firewire is
    Theodore> goodness and light and is fully secure.  In those environments,

  One simple answer is that we do not accept non-kg EAP as the way to do
X9.9/SecureID/token based authentication. We accept do, instead XAUTH or
something.

  {I say all of this, still prefering SMB's original proposal...}

  If we accept non-kg EAP methods, then we must make a strong statement to
the effect that the credentials MUST not be used to authenticate to parties
of differing trust. 
  I.e. maybe it is okay for the corporate "extranet" web server to use the
employees EAP credentials to form an IPsec tunnel to the employee's desktop
to retrieve that file. It just isn't okay for company A's web server to
use credentials from company B for things they weren't intended for. (noting
that B's web server must already have some radius-like relationship with A's
authentication server in order to perform the legitimate authentication)

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP0I6/4qHRg3pndX9AQHdOAQAnpWpBrA2DZZnrizXBDF+45wEldmXiJYE
tNMBG3NGsTC2YTZ9tQOeePNvQBE5WqOeskPlDC4Mkcyhxfg3LOlPrp5e9f+rY7pq
Zq1WuwJca+pFr3q9ojW2H9DDQrF5mN9BO9Lpx3qoLX99EIH+9KWxvz7eVZPu7v4+
TI8x0bE630k=
=tLq0
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: The remaining IKEv2 issues
  - From: Charlie_Kaufman@notesdev.ibm.com

References:
- Re: The remaining IKEv2 issues
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: Re: IKEv2 SA rekeying - naming an initial SA
Prev by thread: Re: The remaining IKEv2 issues
Next by thread: Re: The remaining IKEv2 issues
Index(es):
- Date
- Thread