[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

To: ipsec@xxxxxxxx
Subject: Re: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt
From: "Ariel Shaqed (Scolnicov)" <ariel.shaqed+ietf@xxxxxxxxx>
Date: Mon, 4 Dec 2006 12:17:10 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=MyTzmYYKsq3EzrDeO6Q0S5vayj2PmHWWJ+sLk6R1mzp8NjICOvTHj47VSaeE8coqZxi0URTDKpoH/252dRkrhQTVN+0iflLQy9FtWjJlE4ul0rBRmE+AN/eYCSZhsBWwKtVfixuwwtBlq10mqEej2Rar6vhwMF+CJS9notIKsZY=
In-reply-to: <20061204051306.GJ5938@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <0J9I004QA59AFAC0@xxxxxxxxxxxxxxxxxxxx> <20061204051306.GJ5938@xxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-ipsec@xxxxxxxxxxxxx

I see our introduction needs more work!

On 12/4/06, Nicolas Williams <Nicolas.Williams@xxxxxxx> wrote:

On Wed, Nov 29, 2006 at 07:16:29PM +0200, Arik Friedman wrote:
>    This document describes an extension to IKEv2 that allows an endpoint
>    to prove to a security gateway that it was already authenticated by
>    another trusted security gateway, thereby allowing the authentication
>    of the endpoint without user intervention.  This is accomplished
>    using a Short Term Credential that the endpoint requests from the
>    authenticating security gateway.  This credential is a certificate
>    issued by the authenticating gateway for a short period of time, and
>    it can be used to authenticate the user with IKE signature based
>    authentication.

Sounds like a ticketing system.


True.

However, more VPN gateways and clients are PKI-capable than are
Kerberos-capable.  We aim to use PKI capabilities of the client,
without requiring the administrator to deploy PKI to clients.

Sounds like Kerberos V (with PKINIT).


We are after a lighter weight solution than Kerberos.  (RFC 4556 uses
client certs to produce Kerberos authentication, we use IKE EAP
authentication to produce a client cert).

Obviously Kerberos authentication (or PKI authentication) for clients
could solve re-authentication issues.  So-called "legacy"
authentication is a fact of life.  Kerberos (and PKI deployment for
client certs) are less so.

Sounds fairly unrelated to IKEv2 and rather specific to PKIX.


PKIX specifies certificate infrastructures which we use -- we do not
rewrite RFC 3280, we use it.

Our draft defines an IKEv2 exchange allowing a client to request
short-term credentials, and specifies behaviour for such an exchange.
It provides a re-authentication mechanism that requires fewer new
entities than would using Kerberos (or yet another EAP method).

We have to make these points clearer in -01.

Thanks,
--
Ariel.

_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt
  - From: Arik Friedman
- Re: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt
  - From: Nicolas Williams

Prev by Date: Incredible prices
Next by Date: extend
Previous by thread: Re: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt
Next by thread: pigs
Index(es):
- Date
- Thread