Re: CRACK

[Ricky Charlet <rcharlet@xxxxxxxxxxxx>]

Dan Harkins wrote:
> 
>   A few weeks ago I was alluding to a draft which would address the
> desire to do token card authentication in IKE (and do it securely).
> The draft is out but is an individual I-D submission due to the fact
> that remote access is going to be the responsibility of IPSRA which
> does not yet formally exist. Please check it out and comment. It's
> called draft-harkins-ipsec-ike-crack-00.txt and can be found with the
> others at http://www.ietf.cnri.reston.va.us/internet-drafts.
> 
>   Dan.


Howdy ()

	Is this protocol self defeating of it's own goal? The goal is to allow
the use of legacy authentication methods in place of deploying a pki.
Yet this protocol requires the pre-existance of a pki. Is the answer
along the lines of "yeah, but this is a small and manageable pki"?


	In the crack draft, Section 2.2 says

-- 2.2 Exchange Definition
 
   This exchange is motivated by the use of roaming IPSec-enabled
   clients which use legacy authentication methods for authentication
   instead of using a public key certificate. 


	And section 3 says:


3. The Protocol
 
   This protocol uses digital signatures to bind each party to the
   exchange as well as to the secret keying material that results from
   the exchange.  The signatures are verified because the peers trust
   each other's public keys.  This trust is acquired differently for the
   client and the gateway.  The client trusts the gateway's public key
   either because it came from a certificate which is signed by a
   trusted certification authority or because the client trusts it by
   some out-of-band mechanism (for instance it is loaded into his policy
   store prior to embarking on his voyage).  



####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@xxxxxxxxxxxx
####################################

end Howdy;