Re: [IPsec] [ipsecme] #217: Temporary credentials

[Yaron Sheffer]

The point of "temporary credentials" is that if these spokes normally 
use EAP or PSK to authenticate to the gateway, they cannot use these 
same credentials to auth to one another (because that would expose each 
spoke to impersonation by the other one). So to support this scenario we 
must have some other means of authentication.

This raises an interesting question: if the spokes are authenticating 
with certificates, they could in principle use the same credentials to 
authenticate to one another. So the "temporary credentials" now become 
*authorization* tokens, basically conveying to gateway's policy. Do we 
really want to go down this path?

Thanks,
        Yaron

On 03/21/2012 10:43 PM, Geoffrey Huang wrote:
I don't understand what "temporary credentials" means.  If the intent is to 
have some transitive authentication (or redirection of trust hierarchy, at least) between 
a gateway and two spoke devices, which are trying to establish an ad-hoc connection, then 
I agree this would be important to have.

-geoff

From: Vishwas Manral<vishwas.i...@gmail.com<mailto:vishwas.i...@gmail.com>>
Date: Wed, 21 Mar 2012 12:24:08 -0700
To: Steve Hanna<sha...@juniper.net<mailto:sha...@juniper.net>>
Cc: 
"ipsec@ietf.org<mailto:ipsec@ietf.org>"<ipsec@ietf.org<mailto:ipsec@ietf.org>>
Subject: Re: [IPsec] [ipsecme] #217: Temporary credentials

Hi Steve,

I think this is an important requirement for sure.

Thanks,
Vishwas

On Tue, Mar 20, 2012 at 6:36 PM, Stephen 
Hanna<sha...@juniper.net<mailto:sha...@juniper.net>>  wrote:
Another issue to comment on.

Steve

-----Original Message-----
From: ipsecme issue tracker 
[mailto:t...@tools.ietf.org<mailto:t...@tools.ietf.org>]
Sent: Tuesday, March 20, 2012 7:01 PM
To: yaronf.i...@gmail.com<mailto:yaronf.i...@gmail.com>; 
draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.org<mailto:draft-ietf-ipsecme-p2p-vpn-prob...@tools.ietf.org>
Subject: [ipsecme] #217: Temporary credentials

#217: Temporary credentials

  Endpoints may require temporary credentials in order to establish a secure
  connection to another endpoint.

  Suggested Resolution: Put this in the requirements section.

--

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec