> > I think that using PAKE for road warriors is more important than for > > site-to-site VPNs. In the latter case the SGWs are usually administered > > by (presumably :-)) experienced administrators, who can select a > > high-entropy > > PSK, and these PSKs need not to be memorable by users. So, generally > > speaking, > > it is more secure to use good PSK than passwords (since any PAKE defends > > only > > If we assume highly competent administrators, then we don't need a PAKE > at all.
For remote access where certificates or raw public key cannot be used, PAKE is extremely useful. > What I heard from the IPsecME record was that many in the room > felt that this was where ther was a weakness. I see this as a social issue, not a technical one. We can't prevent administrators from being careless, either with PSKs or with passwords. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
