[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] Re: IKEv2 AUTH payload
- To: Bill Sommerfeld <sommerfeld@east.sun.com>, Geoffrey Huang <ghuang@cisco.com>, Yoav Nir <ynir@checkpoint.com>, Pasi.Eronen@nokia.com, ipsec@ietf.org
- Subject: Re: [Ipsec] Re: IKEv2 AUTH payload
- From: Nicolas Williams <Nicolas.Williams@sun.com>
- Date: Fri, 16 Apr 2004 17:34:14 -0500
- In-reply-to: <20040416221442.GF22519@binky.central.sun.com>
- List-help: <mailto:ipsec-request@ietf.org?subject=help>
- List-id: IP Security <ipsec.ietf.org>
- List-post: <mailto:ipsec@ietf.org>
- List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
- List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
- Mail-followup-to: Bill Sommerfeld <sommerfeld@east.sun.com>,Geoffrey Huang <ghuang@cisco.com>, Yoav Nir <ynir@checkpoint.com>,Pasi.Eronen@nokia.com, ipsec@ietf.org
- References: <40801AE8.7030207@cisco.com> <200404162151.i3GLpvQU012761@thunk.east.sun.com> <20040416221442.GF22519@binky.central.sun.com>
- Sender: ipsec-admin@ietf.org
- User-agent: Mutt/1.4i
On Fri, Apr 16, 2004 at 05:14:42PM -0500, Nicolas Williams wrote:
> On Fri, Apr 16, 2004 at 05:51:57PM -0400, Bill Sommerfeld wrote:
> > > I'm not too familiar with the various user authentication methods,
> > > but do any of these methods support the notion of an authentication
> > > lifetime?
> >
> > Yes. (Kerberos is a notable example).
>
> And plain old PKI too, since certificates have expiration dates.
>
> Suppose you're using something like kx509 to get short-lived certs
> issued after authenticating with Kerberos V... presumably you'd want
> sessions authenticated with such certs to expire when the certs do.
And the GSS-API (which allows for non-infinity security context
lifetimes).
The right way to make use of Kerberos V, in general, is through the
GSS-API. I do hope that if and when the IETF goes on to consider how to
authenticate IPsec IDs with Kerberos V that the GSS-API will be used
instead of raw Kerberos V.
Nico
--
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec