[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Position statement on IKE development

To: "Scott G. Kelly" <skelly@xxxxxxxxxxxx>
Subject: Re: Position statement on IKE development
From: Henry Spencer <henry@xxxxxxxxxxxxx>
Date: Tue, 7 Aug 2001 23:41:20 -0400 (EDT)
Cc: ietf-ipsra@xxxxxxxx
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

On Tue, 7 Aug 2001, Scott G. Kelly wrote:
> > 1. "Doesn't this require me to install root certs on all the clients, just
> > as if I were moving to PKI?"
> 
> All clients are required to have root certs (or access to some
> equivalent verification mechanism) if they are to use anything other
> than preshared keys for phase 1 authentication anyway...

We haven't found it so.  Of course, we have to explain to people over and
over again that using RSA public keys does not imply using certificates.
(Do certificates scale better than plain public keys?  Yeah, probably...
but either one is so superior to preshared secrets that the difference is
second-order for most users, and public keys are much simpler.)

                                                          Henry Spencer
                                                       henry@xxxxxxxxxxxxx

References:
- Re: Position statement on IKE development
  - From: Scott G. Kelly

Prev by Date: Re: Position statement on IKE development
Next by Date: Meeting's minutes
Previous by thread: Re: Position statement on IKE development
Next by thread: Re: Position statement on IKE development
Index(es):
- Date
- Thread