[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL

To: Rick Smith at Secure Computing <rick_smith@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Fw: IPSec vs. SSL
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 27 Dec 2000 16:30:15 -0500
Cc: <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Much of this SSL vs. IPsec discussion has been based on unarticulated assumptions, and there have been some explicit technical errors, further confusing the debate.

One fair observation is that SSL configuration, from a client perspective, is much easier than for IPsec precisely because SSL does not address access control issues. Even at the server side, access control is an add on, outside scope of SSL. This relates to the observation made earlier re pre-configured CAs in SSL clients. This is a convenience feature that works fairly well for the public access to server model that SSL is designed to support. It is less attractive in an intranet environment, as it creates more opportunities for spoofing. But, even this is not a criticism of SSL, because SSL does not embody any notion of root CAs in clients. All fo that is outside the SSL spec, and is not standardized.

So, let's keep in mind the differences between standards and implementations when comparing SSL and IPsec. There are legitimate differences in services and functional requirements between these protocols, and many of these differences relate to the contexts for which each was designed. In some cases they might be competitors, in other cases one offers features that make it incomparable to the other.

Steve

References:
- Re: Fw: IPSec vs. SSL
  - From: Rick Smith at Secure Computing

Prev by Date: Re: IPv6 Neighbour Solicitation messages and IPsec
Next by Date: Re: Collision in IPSec SA negotiation
Previous by thread: Re: Fw: IPSec vs. SSL
Next by thread: Re: Fw: IPSec vs. SSL
Index(es):
- Date
- Thread