>>>>> "Geoffrey" == Geoffrey Huang <ghu...@juniper.net> writes: Geoffrey> My initial inclination is to say that won't fly: that many Geoffrey> deployments still require preshared key authentication. Geoffrey> Rather, they would object to certificates because of Geoffrey> perceived complexity. That said, I could see arguments Geoffrey> that what we're discussing are already fairly Geoffrey> sophisticated topologies, so perhaps the certificate Geoffrey> allergy doesn't hold?
Tero isn't proposing using certificates. Tero is proposing that the gateway/hub provides each leaf node with a gateway mediated, ASN.1 encoded, scalable, asymmetric, transitive proofs of identity. It would be used only for the leaf to leaf connection. It would be retained for a convenient period of time and then destroyed. End users and leaf systems would continue to "authenticate" to the gateway using the insecure legacy mechanisms that CTOs seem to prefer. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition.
pgpsGDoMWvCUf.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec