Hi André
André Pohl wrote:
> Ok, I understand your position in general...BUT (there is allways a But :-) ):
certainly :)
> 1. The same set of problems exists for IPSEC
Yes, I'm not happy with the ipsec implementation. It is very complicated
because of the CA. To be honest, when I must create an IPSEC connection
with a CA, (not that I would do this often) it always takes me hours to
understand
where I must enter what information. But we did not change it much after the
fork and thus now it is so as it is. We need to simplify it in future
development,
but for now we are happy that it works.
> 2. If someone is able to steel the private key of the ca, I´ve a bigger
> problem
> than revoking the complete PKI ´cause my firewall is compromised.
Sure. That's just to minimize the risk. The risk to loose a private key
from a
device where every traffic passes is higher than to loose it from a
device which
you could switch off or put elsewhere. And sometimes it is not that easy
to replace
the entire PKI.
Well certainly, at the other hand, if you have only 2 hosts a CA
installed on the
firewall would be preferable. Here I am with you.
But this is to solve in a smart way. For example a downloadable tool for
CA administration
or a separate encrypted single CA somewhere on the firewall, or better, a
downloadable tool with optional web GUI which can run also on the firewall
if you want to.
> 4. Additionally, in difference to a ZERINA-based Implementation of OpenVPN
> it´s
> more handwork for the admin. In Zerina I only have to send the link for the
> GUI
> and the automaticly generated ZIP with the config-files.
Sure, that's easier. But it makes the entire PKI senseless. With that
type of authentication
both parties need to authenticate each other. If one party has all the
necessary
information to create it's own certificates, the authentication of the
server by the
client is senseless. Then there is no much difference to simple PSK
authentication.
CA management on the other hand is never been an easy task.
> 5. To manage a external CA should not be a problem for "profis" but for
> normal
> part-time admins this will be a big barrier to implement a VPN (IPSEC is to
> complicated for unexperienced Roadwarriors).
That's true. This is the direction which we should go forth.
Simplifying the CA administration, not to automate it, because that's
simply not
possible without loosing security.
peter
--
:: e n d i a n
:: open source - open minds
:: peter warasin
:: http://www.endian.com :: [EMAIL PROTECTED]
begin:vcard
fn:Peter Warasin
n:;Peter Warasin
org:Endian GmbH/Srl
adr:;;Pillhof 47;Frangart/Frangarto;BZ;I-39010;Italien/Italia
email;internet:[EMAIL PROTECTED]
tel;work:+39 0471 631763
tel;fax:+39 0471 631764
x-mozilla-html:FALSE
url:http://www.endian.com
version:2.1
end:vcard
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Efw-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/efw-user
