<snip>
> Most "secure IP" packages seem to think that having a per-host key is a good
> idea. In fact the whole idea sucks: you need to be the host maintainer to
> change the keys etc. That means that the user is at the mercy of the
> maintainer, who may be overworked, uncaring about the users needs, or simply
> stupid. You can't really protect against a actively _evil_ root, but ipsec
> doesn't even protect against a _uncaring_ root..
Ah, but wait! You're assuming that there's just one key per host. Under
ISAKMP/Oakley (if in fact that is adopted by IP Sec), certificates may be
indexed by either User-FQDN's _or_ FQDNs. This means that ISAKMP will be
able to support user-based certificates. So, if you're a user on a
machine run by a stupid root, you'll be able to manage your own
re-certification, etc. I think ISAKMP will work very well on a multi-user
system.
Host-based certificates are better for host-to-host based connections,
such as creating Virtual Private Networks by joining LAN's over the
Internet. I'm pretty sure this is what Cisco has in mind. IP Sec could
handle both.
So, would a user-based certificate implementation of IP Sec be so bad,
Linus?
> With "ssh", you get something that works today, is secure and usable, and can
> be installed easily on the system with minimal need for maintenance, so you
> don't need to worry overmuch about maintaining it. It ports to just about any
> UNIX, and because it's connection-oriented you can use it or not use it as
> you see fit.
You're right. SSH is decent. I just wish it handled all IP traffic, not
just TCP connections.
> Note: if somebody thinks ipsec is useful and implements it cleanly for Linux,
> I'd be more than happy to add it to the kernel despite the above text. I
Count me in.
It would also be pleasant if someone implemented some sort of GPL'd CA...
something like a GNU X509 server.
- Alex
-------
Alex deVries, System Administrator, The EngSoc Project.
The slower life gets, the more sense beer makes.