[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: l2tp as ipsra solution

To: <gwz@xxxxxxxxx>
Subject: RE: l2tp as ipsra solution
From: "Andrew Krywaniuk" <andrew.krywaniuk@xxxxxxxxxxx>
Date: Thu, 15 Jun 2000 11:01:25 -0400
Cc: "'IPSRA list'" <ietf-ipsra@xxxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Reply-to: <andrew.krywaniuk@xxxxxxxxxxx>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

> This is absolute nonsense.  How can you say that encouraging people to
> continue using their obsolete password-based systems is "encouraging"
> migration to PKI?

Good point. This is a red herring. Any *decent* implementation of a system
that allows people to continue using password-based authentication via the
use of temporary certificates WILL HIDE THIS IMPLEMENTATION DETAIL FROM THE
USER.

How this provides a migration path to PKI is beyond me! Besides, I have
noticed that any project that exists primarily for the purpose of providing
a migration path never gets completed. I wonder why.

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.


> -----Original Message-----
> From: owner-ietf-ipsra@xxxxxxxxxxxxx
> [mailto:owner-ietf-ipsra@xxxxxxxxxxxxx]On Behalf Of Glen Zorn
> Sent: Wednesday, June 14, 2000 6:28 PM
> To: Sara Bitan; Jari Arkko
> Cc: Ricky Charlet; IPSRA list; Glen Zorn
> Subject: RE: l2tp as ipsra solution
>
>
> Sara Bitan [mailto://sarab@xxxxxxxxxxxx] writes:
>
> > The IPsec preferred authentication method is certificate
> based. Hence you
> > could say that the IPSRA solution for human authentication is
> > temporary until
> > PKIs will be fully deployed. Indeed you could say that the
> > proposed solutions
> > are "encouraging" migration to PKI.
>
> This is absolute nonsense.  How can you say that encouraging people to
> continue using their obsolete password-based systems is "encouraging"
> migration to PKI?
>
> > We all know though that "short term" can turn out to be very long.
> >
> > One thing regarding your option (b) I am sure of we do not intend
> > "never to
> > come back to PKI based system later". PKI based systems are
> > already here and
> > are already being deployed - we are trying to solve the secure
> > remote access
> > problem where PKI based systems are not deployed.
>
> Precisely.  The time for implementing legacy authentication
> for IPSEC was
> long ago (and rejected by the WG as I recall) and is gone.
> To add support
> for (finally, truly) obsolete authentication methods can only
> serve to slow
> deployment of PKI, not speed it.
>
> >
> >  Sara.
> > Jari Arkko wrote:
> >
> > > I think it is a relevant question to ask exactly how far the IPSRA
> > > group should go. If I've understood correctly, one the
> basic premises
> > > on which the IPSRA group was built on was the slow
> deployment of PKI.
> > > Now, should the IPSRA group
> > >
> > >         (a) Create a short-term solution from existing
> > >             "components", with possible limitations and
> > >             restrictions. Further on, move to PKI-based
> > >             systems.
> > >
> > >         (b) Create a full-fledged perfect solution, including
> > >             substantial tuning or new development. Never
> > >             come back to PKI-based systems later.
> > >
> > > Jari
> > > ----
> > > Jari Arkko, Oy L M Ericsson Ab, 02420 Jorvas, Finland. Tel +358
> > 9 2992480
> > > Fax +358 9 2993052. GSM +358 40 5079256. E-Mail:
> Jari.Arkko@xxxxxxxxxxxx
> > > Private WWW: http://www.iki.fi/jar. Standard disclaimers apply.
> >
>
>

References:
- RE: l2tp as ipsra solution
  - From: Glen Zorn

Prev by Date: Re: l2tp as ipsra solution
Next by Date: Re: l2tp as ipsra solution
Previous by thread: RE: l2tp as ipsra solution
Next by thread: RE: l2tp as ipsra solution
Index(es):
- Date
- Thread