[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Starting the decision on PIC vs. GetCert



"Scott G. Kelly" wrote:
> 
> I haven't come down one way or the other yet, but have made the
> following observations: if pic is chosen, the fact that it would be part
> of the ipsec subsystem makes the problem of getting the cert into the
> ipsec credential db transparent to the user. If getcert is used with a
> browser interface, this is not the case (although I know getcert could
> be implemented by the ipsec client code as well). Also, getcert may be
> susceptible to any associated tls security issues. Comments, anyone?
> 
> Scott

If the solution is too tightly bound to the IKE implementation, deployment
of the solution will require that all IKE implementations used by the corporation
be changed. On the other hand, a separate client product pushing a cert to an 
OS cert store and a separate authentication server would be more easily deployable.

Ari

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security