RE: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-03.txt
"Waters, Stephen" <Stephen.Waters@cabletron.com> Fri, 08 October 1999 16:35 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id JAA14510; Fri, 8 Oct 1999 09:35:34 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA04566 Fri, 8 Oct 1999 10:29:23 -0400 (EDT)
Message-ID: <29752A74B6C5D211A4920090273CA3DCCDE464@new-exc1.ctron.com>
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
To: ipsec@lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-03.txt
Date: Fri, 08 Oct 1999 15:30:09 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="ISO-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Derrell, I've taken a quick wonder through the GSS documents now. And I have a questions: A few weeks/months back, we were debating on the list how public-key could be used with IKE without the need for PKI (CA/CRL/RA). One of the suggestions that came out (that I was fond of :) ), was you provide clients with just their own private key, and the public key of the server. The server has its own public/private key, and access to a secure database containing the clients private keys. This was given the name 'private public-key'. The IKE exchange is standard signature authentication, with off-line cracking protection. >From what I can tell from GSS and your draft, it is basically the same model, except that we are talking about adding a new 'thing' everywhere called GSS-API software. Cheers, Steve.
- I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-03.txt Internet-Drafts
- RE: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-0… Waters, Stephen
- RE: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-0… Lisa Wilkinson
- RE: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-0… Markku Savela
- RE: I-D ACTION:draft-ietf-ipsec-isakmp-gss-auth-0… Pyda Srisuresh