[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues

To: Yoav Nir <ynir@checkpoint.com>
Subject: Re: The remaining IKEv2 issues
From: Uri Blumenthal <uri@lucent.com>
Date: Wed, 27 Aug 2003 14:17:38 -0400
Cc: ipsec@lists.tislabs.com
Organization: Lucent Technologies / Bell Labs
Original-CC: ipsec@lists.tislabs.com
References: <11F4181E-D605-11D7-8A52-000A95834BAA@checkpoint.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 (CK-LucentTPES)

On 8/24/2003 3:32 AM, Yoav Nir wrote:
> Hi Uri,

Hi, and thanks for your response.

> Re: not using kg methods.  SecurID belongs to a certain vendor, and 
> they can create a kg method that suits them.  In fact, they have, but 
> they won't publish the spec, so I can't implement it. 

Yes, but what I had in mind is - at the very worst we can mix the
data from the exchange into the key generation mechanism input.

Would it not make sense?

> Now let's take another example.  A customer keeps all his 
> username/passwords on the mainframe, because that's the only computer 
> they trust.  The only access our IKE gateway has to the mainframe is 
> running something called a RACINIT, that allows you to pass the 
> username and the password, and get a yes/no response.  How can we get 
> this to work, if the gateway never knows what the password is?....

Yes I see your point...

Thanks!

Regards,
Uri.

Follow-Ups:
- Re: The remaining IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: The remaining IKEv2 issues
  - From: Yoav Nir <ynir@CheckPoint.com>

Prev by Date: Re: IKEv2 SA rekeying - naming an initial SA
Next by Date: Re: The remaining IKEv2 issues
Prev by thread: Re: The remaining IKEv2 issues
Next by thread: Re: The remaining IKEv2 issues
Index(es):
- Date
- Thread