[Cryptography] To what is Anderson referring here?
Dan McDonald
danmcd at kebe.com
Thu Jun 5 15:58:51 EDT 2014
On Thu, Jun 05, 2014 at 09:29:27PM +1200, Peter Gutmann wrote:
> Heck, the IPsec folks more or less made this explicit:
>
> all password-based authentication is insecure; IPsec is designed to be
> secure; therefore, you have to deploy a PKI for it
A noticeable amount of IPsec deployments (IKE to be precise) uses PSK. Some
implementations even let you use self-signed certs and explicit trust (not
the Big Name in Redmond, however).
Key management is ALWAYS the elephant in the room. IPsec *can*, when
properly built, decouple key management (e.g. IKE) from the protection of
packets (AH & ESP). This allows people to build better/faster/stronger KM
entities.
Dan
More information about the cryptography
mailing list