[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: l2tp as ipsra solution

To: "Sara Bitan" <sarab@xxxxxxxxxxxx>, "Jari Arkko" <Jari.Arkko@xxxxxxxxxxxxxxx>
Subject: RE: l2tp as ipsra solution
From: "Glen Zorn" <gwz@xxxxxxxxx>
Date: Wed, 14 Jun 2000 15:27:49 -0700
Cc: "Ricky Charlet" <rcharlet@xxxxxxxxxxxx>, "IPSRA list" <ietf-ipsra@xxxxxxxx>, "Glen Zorn" <gwz@xxxxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Reply-to: <gwz@xxxxxxxxx>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Sara Bitan [mailto://sarab@xxxxxxxxxxxx] writes:

> The IPsec preferred authentication method is certificate based. Hence you
> could say that the IPSRA solution for human authentication is
> temporary until
> PKIs will be fully deployed. Indeed you could say that the
> proposed solutions
> are "encouraging" migration to PKI.

This is absolute nonsense.  How can you say that encouraging people to
continue using their obsolete password-based systems is "encouraging"
migration to PKI?

> We all know though that "short term" can turn out to be very long.
>
> One thing regarding your option (b) I am sure of we do not intend
> "never to
> come back to PKI based system later". PKI based systems are
> already here and
> are already being deployed - we are trying to solve the secure
> remote access
> problem where PKI based systems are not deployed.

Precisely.  The time for implementing legacy authentication for IPSEC was
long ago (and rejected by the WG as I recall) and is gone.  To add support
for (finally, truly) obsolete authentication methods can only serve to slow
deployment of PKI, not speed it.

>
>  Sara.
> Jari Arkko wrote:
>
> > I think it is a relevant question to ask exactly how far the IPSRA
> > group should go. If I've understood correctly, one the basic premises
> > on which the IPSRA group was built on was the slow deployment of PKI.
> > Now, should the IPSRA group
> >
> >         (a) Create a short-term solution from existing
> >             "components", with possible limitations and
> >             restrictions. Further on, move to PKI-based
> >             systems.
> >
> >         (b) Create a full-fledged perfect solution, including
> >             substantial tuning or new development. Never
> >             come back to PKI-based systems later.
> >
> > Jari
> > ----
> > Jari Arkko, Oy L M Ericsson Ab, 02420 Jorvas, Finland. Tel +358
> 9 2992480
> > Fax +358 9 2993052. GSM +358 40 5079256. E-Mail: Jari.Arkko@xxxxxxxxxxxx
> > Private WWW: http://www.iki.fi/jar. Standard disclaimers apply.
>

Follow-Ups:
- RE: l2tp as ipsra solution
  - From: Andrew Krywaniuk

References:
- Re: l2tp as ipsra solution
  - From: Sara Bitan

Prev by Date: Re: l2tp as ipsra solution
Next by Date: RE: l2tp as ipsra solution
Previous by thread: Re: l2tp as ipsra solution
Next by thread: RE: l2tp as ipsra solution
Index(es):
- Date
- Thread