Paul Wouters <[email protected]> wrote: > It's entertaining to see WireGuard go through the same. Certificates > are too complex and annoying, lets only support raw keys. We tried that > 25 years ago :)
"Entertaining" is definitely a word.
As if the ESP part of security was ever the problem.
> And the other issue is that if you want to use a certificate for IKE
> and TLS (eg an SSL VPN), then you have two PKIX profiles that might
> actually have contractory constrains or requirements.
Exactly.
> Additionally,
> whether you like it or not such a combined certificate will be forced
> to comply to CAB/forum. As an expale, loading your LetsEncrypt
> certificate into IKE to use it for SSL-VPN and IPsec VPNs.
I think that it should be possible to use LE certificate as part of a
pinned-down certificate for IKE. It's way better than PSK.
> I think actual deployment, and what is specified in RFCs, at least in
> RFC 4945, has diverted quite a bit. I think 4945 needs to be updated.
> But that update would almost have to be "TLS compliant", so it
> basically comes down to "ignore all the 4945 stuff".
I would go for replacing 4945.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
