[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Starting the decision on PIC vs. GetCert
Ari Huttunen wrote:
> "Scott G. Kelly" wrote:
> > I haven't come down one way or the other yet, but have made the
> > following observations: if pic is chosen, the fact that it would be part
> > of the ipsec subsystem makes the problem of getting the cert into the
> > ipsec credential db transparent to the user. If getcert is used with a
> > browser interface, this is not the case (although I know getcert could
> > be implemented by the ipsec client code as well). Also, getcert may be
> > susceptible to any associated tls security issues. Comments, anyone?
> > Scott
> If the solution is too tightly bound to the IKE implementation, deployment
> of the solution will require that all IKE implementations used by the corporation
> be changed. On the other hand, a separate client product pushing a cert to an
> OS cert store and a separate authentication server would be more easily deployable.
The fact that pic uses an ike variant doesn't mean it is tightly bound
to the ike implementation, necessarily. For example, a pic
implementation need not run on the headend, meaning that ike
implementation would not change at all. Where it *would* require
widespread change would be in the remote access clients, but these
systems have to be modified either way.