Re: alternative to user-to-user Kerberos in KINK

[Derek Atkins <warlord@xxxxxxx>]

Bill Sommerfeld <sommerfeld@xxxxxxxxxxxx> writes:

> > Perhaps we just don't care; or perhaps "users" can only be IPSec
> > initiators.
> 
> That won't work in the general case since many possible uses of ipsec
> require peer-to-peer keying.  (or, rather, require either end to be
> able to initiate rekeying).

It works for road-warrior VPNs :)

In other cases, you probably aren't authenticating users to users, or
hosts to users, but rather hosts to hosts.  So I don't think it
matters there, either.  The only case I can truly think of where you
might want to have the user authenticate one end is for a road-warrior
VPN solution, and in that case, no, the server WONT be initiating
anything :)

> 					- Bill

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
       warlord@xxxxxxx                        PGP key available