I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned by this fire though...
On Sat, 26 Mar 2005, Sean Donelan wrote: > > Most people figured out I was not looking for a "public" CA solution. > There is very little reason why internal certificates need to be > recognized world-wide, or by anything outside of the internal > organization. Also I didn't say it, but I'm not looking to identify > natural people. > Kerb could also do this for you, routers (IOS atleast) already support Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this meet the need for authentication type things? > Instead of using community names for SNMP or shared secrets for VPN, > an alternative for a network operator is some form of public/private > keys. > You could, I'm fairly certain, hack in kerb auth to VPN clients and possibly to SNMP, though I admit to not being an ASN.1 expert either :( (kerb and snmp use this in their packing methods, rigth?) > Several people pointed out certificates don't fix the compromised > device problem. Public/private key pairs are only as secure as the > private key. The length of the key doesn't matter if you can get > a copy of the private key. It's the compromised device problem that was the white-hot-flame-of-love for the last PKI deployment I witnessed in action... Anwyay, Kerberos? Might it also be considered for your situation? -Chris
