In your previous mail you wrote: > => I disagree: without authentication (by a pre-shared > secret, certificate/signature or public key) you can be > attacked by the Man-In-The-Middle, i.e., you can get a very > secure connection with a bad guy, not the intended > correspondent. There are some schemes where one participant > can be anonymous, but at most one (i.e., never both). Is this scheme used anywhere on the net?
=> yes, anywhere but not in any case. Can I make use of it whatever time I want? => no, it works only on client-server interactions where the server doesn't bother about who is the client. It is safe for the client (the server is authenticated) but not for the server (but it doesn't matter). With IKE the traditional way to do this is to enable self-signed certificates. HIP and opportunistic encryption have this style of anonymous initiators (and both use DNSSEC for strong authentication). E.g. the server has a cert and I dont, but the server requires IPsec, my client will respond even without cert? => if the server requires IPsec only because of its service and gives the same right to any client then a self-signed cert can be a good solution. SSL/TLS is commonly used with this kind of asymmetrical authentication. Well I asked that question, lets say for the case that two endusers without any certificates can build up a secure line between each other. => they can't. For example an IM application could turn on IPsec without certificate. The problem is I don't see endusers buying certificates anytime soon, which might be important for pure P2P applications wanting to use the IPsec protocol, at least in my thoughts. => not only they have to use certificates & co, but a global PKI is needed... Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
