Geoffrey Huang writes: > My initial inclination is to say that won't fly: that many > deployments still require preshared key authentication. Rather, > they would object to certificates because of perceived complexity. > That said, I could see arguments that what we're discussing are > already fairly sophisticated topologies, so perhaps the certificate > allergy doesn't hold?
As we are talking about temporary certificates enrolled by the local trust anchor most of the issues people have with certificates do not apply. Adminstrators etc will never even see those certificates. The vendor implementing this needs to implement fetching the temporary credentials, but that code needs to be written anyways regardless whether we use pre-shared keys or certificates. I would actually except that most of this kind of setups already use certificates as their credentials as if we are talking big networks with possibly "hundreds of thousands of gateways", I do not think anybody even thinks of deploying such networks with pre-shared keys even with hub and spoke model... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
