[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: l2tp as ipsra solution

To: <smb@xxxxxxxxxxxxxxxx>, <andrew.krywaniuk@xxxxxxxxxxx>
Subject: RE: l2tp as ipsra solution
From: "Andrew Krywaniuk" <andrew.krywaniuk@xxxxxxxxxxx>
Date: Thu, 15 Jun 2000 12:44:19 -0400
Cc: <gwz@xxxxxxxxx>, "'IPSRA list'" <ietf-ipsra@xxxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Reply-to: <andrew.krywaniuk@xxxxxxxxxxx>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

So is this a migration path for the customers or for the vendors?

As far as I can tell, the users are already free to switch to pure
certificate IKE one at a time and whenever they like.

An invisible migration path doesn't provide much of an incentive for
speeding up this process.

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.


> -----Original Message-----
> From: smb@xxxxxxxxxxxxxxxx [mailto:smb@xxxxxxxxxxxxxxxx]
> Sent: Thursday, June 15, 2000 11:15 AM
> To: andrew.krywaniuk@xxxxxxxxxxx
> Cc: gwz@xxxxxxxxx; 'IPSRA list'
> Subject: Re: l2tp as ipsra solution
>
>
> In message
> <003d01bfd6da$94762ad0$d23e788a@xxxxxxxxxxxxxxxxxxxxxxxxx>, "Andrew
> Krywaniuk" writes:
> >> This is absolute nonsense.  How can you say that
> encouraging people to
> >> continue using their obsolete password-based systems is
> "encouraging"
> >> migration to PKI?
> >
> >Good point. This is a red herring. Any *decent*
> implementation of a system
> >that allows people to continue using password-based
> authentication via the
> >use of temporary certificates WILL HIDE THIS IMPLEMENTATION
> DETAIL FROM THE
> >USER.
> >
> >How this provides a migration path to PKI is beyond me!
> Besides, I have
> >noticed that any project that exists primarily for the
> purpose of providing
> >a migration path never gets completed. I wonder why.
>
> It's a migration path because the underlying IKE software is
> completely
> certificate-based.  Users can convert one at a time; the
> over-the-wire
> IKE and the servers don't have to be touched when you start using
> PKI-based permanent certificates.  Furthermore, once all of
> your users
> have converted, you can delete the old software and be left with no
> vestigal pieces of code.
>
> By contrast, solutions that involve changes to IKE require
> specialized
> code and specialized protocols.  This sort of thing will never vanish.
>
>
> 		--Steve Bellovin
>
>
>

References:
- Re: l2tp as ipsra solution
  - From: Steven M. Bellovin

Prev by Date: Re: l2tp as ipsra solution
Next by Date: Re: l2tp as ipsra solution
Previous by thread: Re: l2tp as ipsra solution
Next by thread: More on certificate enrollment...
Index(es):
- Date
- Thread