[Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

Philippe Vouters philippe.vouters at laposte.net
Thu Apr 10 21:18:50 EEST 2014


Paul,

Congratulations. Clear explanation. It deserves a good public document. 
On my side I should more dig into raw RSA public keys.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

On 04/10/2014 08:04 PM, Paul Wouters wrote:
> On Thu, 10 Apr 2014, Philippe Vouters wrote:
>
>> Although it is very insecure, would embedded systems be the reason of 
>> your xauthby=alwaysok ?
>> This is aside from the NSS database aspect.
>
> xauthby=alwaysok is not "very insecure".
>
> IPsec VPNs can by authenticated using various different methods:
>
> 1) PreShared Key with IDs (or IPs as ID)
> 2) raw RSA public keys
> 3) X.509 Certificates
>
> 4) 1,2 or 3 plus an XAUTH/CP username+password
> 5) 1,2 or 3 plus an L2TP username+password
>
> Furthermore, IPsec VPNs can hand out an IP address to the client using:
>
> A) XAUTH/CP
> B) L2TP
>
> Some people require an IP address assignment without needing an
> additional username+password. For instance because they use 2) or 3)
> or because they believe the PSK for 1) is good enough for their use
> case.
>
> If you use A) to get an IP address, you are forced to also specify a
> username+password. The options xauthby=alwaysok allows you to 'ignore'
> the username+password in these cases.
>
> If you are using A) because you want to identify the _user_ on top
> identifying the _device_, than obviously you are going to have to use
> xauthby=file or xauthby=pam
>
> Paul
>



More information about the Swan-dev mailing list