[anonsec] prob-02

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Mar 20 11:18:25 PST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>   and Key IDs [10]. All require either CA-signed certificates or pre-
>   shared secrets to authenticate. These can be roughly categorized into 
>   network layer identifiers and other identifiers. 
...

>2.1.2. Authentication Methods 
>
>   As described earlier, CA-signed certificates and pre-shared secrets 
>   are the only methods of authentications accepted by current IPsec and 
>   IKE specifications. Pre-shared secrets require manual configuration 

This is false.

There is nothing in IKEv1 or IKEv2 that says that you have to use a
CA-signed certificate to us RSASIG authentication. 

As implementation proof, there is the Openswan/Freeswan/Strongswan, and
ncp.de (for windows) that provides raw rsa key usage with RSASIG.

Self-signed certificates are widely used as well, both by *swan, and
also by racoon, SSH/Safenet, and others.

The fact that these things need to be pre-exchanged is irrelevant, as so
do PSK.  

The fact of the matter is that a multitude of IPsec vendors have made it
very hard to use RSASIG mode in any kind of small-scale deployment. 
     These systems simply do not scale: scaling is about working with 2
     machines as well as with 2million.
     Just working for 2 million nodes is not "scaling".

By stating the above you are propogating the myth that "PK is hard"
(Think of that in a "math-is-hard" Barbie voice). It isn't. It's the "I"
part that is hard, particularly if you wish to work without pre-deployed
infrastructure, which Joe does.

I can not suggest text, because I think worrying about how hard
certificates are to get is totally irrelevant. I would just say that
pre-arranging appropriate, mutually trusted authentication systems is
hard, particularly when the connection crosses organizationational
boundaries. 

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRB8AAICLcPvd0N1lAQJchwf/Q/GAHa0qcE5N6G85QHJb+ue5CIJI6tyP
+XRGM4Il453acOqnz+O4VBnIq9pGTqvoEGaqpGFZ67iYr5jGIsPcbYSCMJv4XpQI
qiJZJzJi9OJ3ytlWTANdl9FsLyOKFdD13KsOpN3vgsQvTHf/Mr1zzpbG1Yb6FC3D
SApu3Zy5NobzF5oLOzMNVlIKgoLArDZAMLy1QH8l1i+/8dfTt0t3D3NRGTFSFhPn
hrS4G1AYhYIAfP016ESfzZsKym87AXObS7vL92IFjW58OO7ZloK+kJs47GAngC6Y
u1wIn9ch4bxMTe8Dh/cVgsO3KJmKeVnAMSO15DUaBocLT7ueq+gXRw==
=kwGy
-----END PGP SIGNATURE-----

More information about the ANONSEC mailing list