>>>>> "Geoffrey" == Geoffrey Huang <ghu...@juniper.net> writes:
Geoffrey> My initial inclination is to say that won't fly: that many
Geoffrey> deployments still require preshared key authentication.
Geoffrey> Rather, they would object to certificates because of
Geoffrey> perceived complexity. That said, I could see arguments
Geoffrey> that what we're discussing are already fairly
Geoffrey> sophisticated topologies, so perhaps the certificate
Geoffrey> allergy doesn't hold? Tero isn't proposing using certificates. Tero is proposing that the gateway/hub provides each leaf node with a gateway mediated, ASN.1 encoded, scalable, asymmetric, transitive proofs of identity. It would be used only for the leaf to leaf connection. It would be retained for a convenient period of time and then destroyed. End users and leaf systems would continue to "authenticate" to the gateway using the insecure legacy mechanisms that CTOs seem to prefer. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition.
pgpsGDoMWvCUf.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
