[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Re: IKEv2 AUTH payload

To: Bill Sommerfeld <sommerfeld@east.sun.com>, Geoffrey Huang <ghuang@cisco.com>, Yoav Nir <ynir@checkpoint.com>, Pasi.Eronen@nokia.com, ipsec@ietf.org
Subject: Re: [Ipsec] Re: IKEv2 AUTH payload
From: Nicolas Williams <Nicolas.Williams@sun.com>
Date: Fri, 16 Apr 2004 17:34:14 -0500
In-reply-to: <20040416221442.GF22519@binky.central.sun.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Bill Sommerfeld <sommerfeld@east.sun.com>,Geoffrey Huang <ghuang@cisco.com>, Yoav Nir <ynir@checkpoint.com>,Pasi.Eronen@nokia.com, ipsec@ietf.org
References: <40801AE8.7030207@cisco.com> <200404162151.i3GLpvQU012761@thunk.east.sun.com> <20040416221442.GF22519@binky.central.sun.com>
Sender: ipsec-admin@ietf.org
User-agent: Mutt/1.4i

On Fri, Apr 16, 2004 at 05:14:42PM -0500, Nicolas Williams wrote:
> On Fri, Apr 16, 2004 at 05:51:57PM -0400, Bill Sommerfeld wrote:
> > > I'm not too familiar with the various user authentication methods,
> > > but do any of these methods support the notion of an authentication
> > > lifetime?
> > 
> > Yes.  (Kerberos is a notable example).
> 
> And plain old PKI too, since certificates have expiration dates.
> 
> Suppose you're using something like kx509 to get short-lived certs
> issued after authenticating with Kerberos V... presumably you'd want
> sessions authenticated with such certs to expire when the certs do.

And the GSS-API (which allows for non-infinity security context
lifetimes).

The right way to make use of Kerberos V, in general, is through the
GSS-API.  I do hope that if and when the IETF goes on to consider how to
authenticate IPsec IDs with Kerberos V that the GSS-API will be used
instead of raw Kerberos V.

Nico
-- 

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- Re: [Ipsec] Re: IKEv2 AUTH payload
  - From: Geoffrey Huang <ghuang@cisco.com>
- Re: [Ipsec] Re: IKEv2 AUTH payload
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>
- Re: [Ipsec] Re: IKEv2 AUTH payload
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

Prev by Date: Re: [Ipsec] Re: IKEv2 AUTH payload
Next by Date: [Ipsec] Re: Your picture
Previous by thread: Re: [Ipsec] Re: IKEv2 AUTH payload
Next by thread: Re: [Ipsec] Re: IKEv2 AUTH payload
Index(es):
- Date
- Thread