[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: L2TP is ipsra solution (?)

To: "'CHINNA N.R. PELLACURU'" <pcn@xxxxxxxxx>, ietf-ipsra@xxxxxxxx
Subject: RE: L2TP is ipsra solution (?)
From: "Kavsan, Bronislav" <bkavsan@xxxxxxxxxxxxxxx>
Date: Thu, 22 Jun 2000 13:44:30 -0400
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

I'd like to re-iterate my earlier statement - in order to perform strong
PKI-based user authentication - user needs to authenticate himself to the
private key store (Smartcard or NVS). In order to do it - use has no choice,
but to use "weak" legacy authentication - pin or password - therefore "the
whole process of authentication is predicated on the first authentication",
which is non-PKI - and we cannot do anything about it.

> -----Original Message-----
> From: CHINNA N.R. PELLACURU [mailto:pcn@xxxxxxxxx]
> Sent: Thursday, June 22, 2000 12:22 PM
> To: ietf-ipsra@xxxxxxxx
> Subject: L2TP is ipsra solution (?)
> 
> 
> Since I did not get much response to my questions requiring 
> clarifications
> of ipsra requirements, I take the liberty to guess them, 
> based on the fact
> that PIC was acceptable to the requirements.
> 
> If PIC was acceptable to the ipsra requirements, then I 
> beleive L2TP/IPSec
> meets those requirements too, and infact I beleive L2TP/IPSec 
> is a better
> way of meeting those requirements than PIC.
> 
> This is because, 
> 
> 1. In L2TP/IPSec we have the flexible framework to do a 
> possibly stronger
> authentication (using digital signatures) in IKE before, a 
> possibly weaker
> authentication(using simple password based mechanisms), with legacy
> authentication systems. But, in PIC, the stronger authentication is
> predicated by a weak authentication(because credentials needed for the
> stronger authentication are provisioned based on the weaker
> authentication), which makes the stronger authentication useless.
> 
> 2. L2TP/IPSec solution has the flexible framework of not 
> mandating the use
> of PKI, to do legacy authentication. This is because, any 
> standard form of
> authentication supported by IKE can be used. But, in PIC, since it is
> based on the signature authentication method in IKE 
> aggressive mode, the
> customer is mandated to have a PKI, which I feel is missing the basic
> purpose of customer dissatisfaction, that lead to formation 
> of another WG:
> ipsra. I guess, if ipsra also mandates PKI, then customers 
> will force us
> to form yet another WG to deal with the fact that they are 
> not yet ready
> for the PKI pill.
> 
> 3. In PIC, since the whole process of authentication is 
> predicated on the
> first authentication, and this first authentication can be 
> considered as
> "user authentication" based on legacy authentication systems, 
> there is no
> real scope for a good "machine authentication" (I am assuming 
> the common
> sense definitions of "user authentication" Vs "machine 
> authentication", as
> opposed to the cryptographic one, which I am not aware of). Since, in
> L2TP/IPSec, the two stages of authentication are independent 
> to the most
> part (although the second authentication is protected by the 
> first), we
> could do "machine authentication" in IKE, and do "user 
> authentication" in
> L2TP.
> 
>     chinna
> 
> chinna narasimha reddy pellacuru
> s/w engineer
> 
>

Prev by Date: Re: l2tp as ipsra solution
Next by Date: Re: L2TP is ipsra solution (?)
Previous by thread: RE: L2TP is ipsra solution (?)
Next by thread: Re: L2TP is ipsra solution (?)
Index(es):
- Date
- Thread