[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
On Tue, 20 Jun 2000, Hugo Krawczyk wrote:
>
>
> On Mon, 19 Jun 2000, Andrew Krywaniuk wrote:
>
> > Hi Glen,
> >
> > > > Well, that was basically my point. None of the recent
> > > proposals have dealt
> > > > with the issue of authenticating both user and machine.
> >
> > > Try L2TP/IPSec w/EAP-TLS.
> >
> > I wasn't including that as a "recent proposal". I meant the more recent get
> > cert type drafts.
> >
>
> The PIC protocol (draft-ietf-ipsra-pic-00.txt) can easily accomodate
> (optional) machine authentication *in addition* to (mandatory)
> user authentication.
> I am in favor of providing that option. It was not included in the
> first draft because we did not want to add options for which there
> was no clear consensus about their need.
> >From recent discussions in the list it seems to me that there may be
> strong support for such option, if so we can include it in the next
> version of the draft.
>
> Hugo
I don't think there is any real cryptographic benefit of "bootstrapping"
IKE credentials (that are capable of several magnitudes stronger
cryptographic authentication) using legacy authentication. Bootstrapping a
cryptographically very very strong authentication using legacy
authencition is useless, because the weakest link in this system is still
the legacy authentication.
And I don't think this scheme could provide "machine authentication"
because the credentials that would be used to do any kind of further
authentication is predicated on the "user authentication" that is done
first. So, it would still be "user authentication".
chinna
>
> >
>
>
>
>
>
>
chinna narasimha reddy pellacuru
s/w engineer