At 6:37 PM -0500 3/20/02, Bennett Todd wrote: > > >tied to a particular implementation, it could at least in principle >> >be re-implemented for others, and any client with a web browser and >> >an IPSec implementation could log in. >> >> Sure, but what a royal pain to use. > >Sorry? It'd be possible with any web browser and a standard IP >stack, as opposed to impossible without a specific, proprietary, >vendor client.
Quite true. But that has nothing to do with ease of use. >And if you had some specific behaviour you wanted --- e.g. a >commandline or gui that prompted for the username and auth >credentials, then fired them off at the server and started up IPSEC, >it'd be easy to script in any reasonable language; all the >interactions are at least standardized. Yes, but if something goes wrong, debugging it is not fun. You have to worry about firewalls, proxy servers and many other things. At some large companies external web access isn't allowed for all users, those users wouldn't be able to use the VPN. All in all it sounds like a hack. Far better to simply propose an extension to the standard and get it approved. In the meantime, from an administrative standpoint, I'd rather deal with an integrated, proprietary vendor solution than try and debug something using multiple protocols. >As for "something I know, something I have and something I am", I >assume by that last you mean biometrics; I certainly wouldn't call >that a "standard security piece" in any forum outside of biometrics >salescritter conventions, and of course movie scriptwriting. It's not standard in the sense that it is commonly used. However those three are commonly given as the set of secure methods, and any extension should look to addressing them all. -- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ [EMAIL PROTECTED] I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
