[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

I see our introduction needs more work!

On 12/4/06, Nicolas Williams <Nicolas.Williams@xxxxxxx> wrote:
On Wed, Nov 29, 2006 at 07:16:29PM +0200, Arik Friedman wrote:
>    This document describes an extension to IKEv2 that allows an endpoint
>    to prove to a security gateway that it was already authenticated by
>    another trusted security gateway, thereby allowing the authentication
>    of the endpoint without user intervention.  This is accomplished
>    using a Short Term Credential that the endpoint requests from the
>    authenticating security gateway.  This credential is a certificate
>    issued by the authenticating gateway for a short period of time, and
>    it can be used to authenticate the user with IKE signature based
>    authentication.

Sounds like a ticketing system.


However, more VPN gateways and clients are PKI-capable than are
Kerberos-capable.  We aim to use PKI capabilities of the client,
without requiring the administrator to deploy PKI to clients.

Sounds like Kerberos V (with PKINIT).

We are after a lighter weight solution than Kerberos.  (RFC 4556 uses
client certs to produce Kerberos authentication, we use IKE EAP
authentication to produce a client cert).

Obviously Kerberos authentication (or PKI authentication) for clients
could solve re-authentication issues.  So-called "legacy"
authentication is a fact of life.  Kerberos (and PKI deployment for
client certs) are less so.

Sounds fairly unrelated to IKEv2 and rather specific to PKIX.

PKIX specifies certificate infrastructures which we use -- we do not
rewrite RFC 3280, we use it.

Our draft defines an IKEv2 exchange allowing a client to request
short-term credentials, and specifies behaviour for such an exchange.
It provides a re-authentication mechanism that requires fewer new
entities than would using Kerberos (or yet another EAP method).

We have to make these points clearer in -01.


Ipsec mailing list