I don't think there need to be authorization tokens, as authorization can be left to local policy.
But there always needs to be some kind of "introduction" process, and it can take many forms: - Yaron, Yoav is at 192.168.1.3. Use c80273f0f7dd5bdc10c38234616fde22 as PSK - Yaron, Yoav is at 192.168.1.3. His certificate has DN: "CN=ynir,OU=something" In the first case, the "system" actually invented the credential, while in the second case it just tells you about it. So temporary credentials are not strictly necessary, but previous attempts to rely on pure PKI have been less than successful. Yoav On Mar 21, 2012, at 11:24 PM, Yaron Sheffer wrote: > The point of "temporary credentials" is that if these spokes normally > use EAP or PSK to authenticate to the gateway, they cannot use these > same credentials to auth to one another (because that would expose each > spoke to impersonation by the other one). So to support this scenario we > must have some other means of authentication. > > This raises an interesting question: if the spokes are authenticating > with certificates, they could in principle use the same credentials to > authenticate to one another. So the "temporary credentials" now become > *authorization* tokens, basically conveying to gateway's policy. Do we > really want to go down this path? > > Thanks, > Yaron > > On 03/21/2012 10:43 PM, Geoffrey Huang wrote: >> I don't understand what "temporary credentials" means. If the intent is to >> have some transitive authentication (or redirection of trust hierarchy, at >> least) between a gateway and two spoke devices, which are trying to >> establish an ad-hoc connection, then I agree this would be important to have. >> >> -geoff >> >> From: Vishwas Manral<[email protected]<mailto:[email protected]>> >> Date: Wed, 21 Mar 2012 12:24:08 -0700 >> To: Steve Hanna<[email protected]<mailto:[email protected]>> >> Cc: >> "[email protected]<mailto:[email protected]>"<[email protected]<mailto:[email protected]>> >> Subject: Re: [IPsec] [ipsecme] #217: Temporary credentials >> >> Hi Steve, >> >> I think this is an important requirement for sure. >> >> Thanks, >> Vishwas >> >> On Tue, Mar 20, 2012 at 6:36 PM, Stephen >> Hanna<[email protected]<mailto:[email protected]>> wrote: >> Another issue to comment on. >> >> Steve >> >> -----Original Message----- >> From: ipsecme issue tracker >> [mailto:[email protected]<mailto:[email protected]>] >> Sent: Tuesday, March 20, 2012 7:01 PM >> To: [email protected]<mailto:[email protected]>; >> [email protected]<mailto:[email protected]> >> Subject: [ipsecme] #217: Temporary credentials >> >> #217: Temporary credentials >> >> Endpoints may require temporary credentials in order to establish a secure >> connection to another endpoint. >> >> Suggested Resolution: Put this in the requirements section. >> _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
