From owner-ietf-ipsra@mail.vpnc.org  Sun Feb  4 04:44:46 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id EAA07565
	for <ipsra-archive@odin.ietf.org>; Sun, 4 Feb 2001 04:44:45 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id AAA15285
	for ietf-ipsra-bks; Sun, 4 Feb 2001 00:41:26 -0800 (PST)
Received: from hippolyte.radguard.com ([192.117.11.9])
	by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA15270;
	Sun, 4 Feb 2001 00:41:23 -0800 (PST)
Received: from hellman.radguard.com (unverified) by hippolyte.radguard.com
 (Content Technologies SMTPRS 4.2.1) with SMTP id <T51857d9cb0c0750b09099@hippolyte.radguard.com>;
 Sun, 4 Feb 2001 10:52:32 +0200
Received: from radguard.com by hellman.radguard.com (8.8.8+Sun/SMI-SVR4)
	id KAA02077; Sun, 4 Feb 2001 10:47:29 +0200 (IST)
Message-ID: <3A7D16A5.C9F094D9@radguard.com>
Date: Sun, 04 Feb 2001 10:45:25 +0200
From: Sara Bitan <sarab@radguard.com>
Organization: RADGUARD
X-Mailer: Mozilla 4.7 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: IPSRA list <ietf-ipsra@vpnc.org>
CC: Paul Hoffman <phoffman@vpnc.org>
Subject: Starting the decision on PIC vs. GetCert
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit


Hello all!

We would like to choose one candidate between PIC and GetCert, and to have
progress with the chosen one.
We will have a short (two weeks) discussion on the list, followed by
a straw poll.

Here is a general summary that I hope will help us start the discussion.

These are the general requirements PIC and GetCert were devised to answer:

(From draft-ietf-ipsra-reqmts-03.txt)
  " In general, proposed IPsec remote access mechanisms should meet the
   following goals:
     o should provide direct support for legacy user authentication
       systems such as RADIUS
     o should encourage migration from existing low-entropy
       password-based systems to more secure authentication systems
     o if legacy support cannot be provided without some sort of
       migration, the impact of such migration should be minimized
     o user authentication information must be protected against
       eavesdropping and replay (including the user identity)
     o single sign-on capability should be provided in configurations
       employing load-balancing and/or redundancy
     o n-factor authentication mechanisms should be supported"


Both PIC and GetCert answer the first five requirements. As noted in a recent
discussion on the list, PIC can be modified to answer the last requirement.
Both provide server side authenticated secure transport for the user
authentication data, and for certificate enrollment.
GetCert is using SSL/TLS as a secure transport, while PIC is using ISAKMP as a
secure transport, created by server authenticated DH.
(Hugo in an e-mail to the list, noted that PIC can be extended to create
mutually authenticated transport)
GetCert uses HTTP as the legacy authentication transport, while PIC is using
EAP.
GetCert uses SCEP for certificate enrollment, while PIC is using dedicated
CREDENTIAL-REQUEST and CREDENTIAL payloads.

I urge you all to please read the two drafts, and share your opinion with the
list. Please speak soon, so we can get as much discussion 
as possible before we start the straw poll.

 Thanks, Sara


From owner-ietf-ipsra@mail.vpnc.org  Mon Feb  5 10:30:24 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA09114
	for <ipsra-archive@odin.ietf.org>; Mon, 5 Feb 2001 10:30:24 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id GAA08590
	for ietf-ipsra-bks; Mon, 5 Feb 2001 06:41:56 -0800 (PST)
Received: from htt-consult.com ([63.82.18.210])
	by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA08583;
	Mon, 5 Feb 2001 06:41:53 -0800 (PST)
Received: from rgm.htt-consult.com ([63.82.18.214]) by htt-consult.com ; Mon, 05 Feb 2001 09:49:06 -0500
Message-Id: <5.0.0.25.2.20010205094447.02a05b40@localhost>
X-Sender: rgm-sec@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.0
Date: Mon, 05 Feb 2001 09:48:27 -0500
To: Sara Bitan <sarab@radguard.com>, IPSRA list <ietf-ipsra@vpnc.org>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: Starting the decision on PIC vs. GetCert
Cc: Paul Hoffman <phoffman@vpnc.org>
In-Reply-To: <3A7D16A5.C9F094D9@radguard.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

At 10:45 AM 2/4/2001 +0200, Sara Bitan wrote:

>Both PIC and GetCert answer the first five requirements. As noted in a recent
>discussion on the list, PIC can be modified to answer the last requirement.
>Both provide server side authenticated secure transport for the user
>authentication data, and for certificate enrollment.
>GetCert is using SSL/TLS as a secure transport, while PIC is using ISAKMP as a
>secure transport, created by server authenticated DH.
>(Hugo in an e-mail to the list, noted that PIC can be extended to create
>mutually authenticated transport)
>GetCert uses HTTP as the legacy authentication transport, while PIC is using
>EAP.
>GetCert uses SCEP for certificate enrollment, while PIC is using dedicated
>CREDENTIAL-REQUEST and CREDENTIAL payloads.

It would be easy for me to change GETCERT to use CMP and CMP Transport over 
HTTP making it fully compliant with PKIX standards, just not following the 
Appendix B ir senario.

It woudl be harder to do it with CMC.  Principle reason is CMC does not 
call out a transport.  If they were to adapt the CMP Transport, I could 
most likely make that work too.

Now due to work requirements I am swamped until Feb 12th.  Any rewrites 
would occur after that.  But give it serious consideration.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com



From owner-ietf-ipsra@mail.vpnc.org  Mon Feb  5 12:57:32 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA13011
	for <ipsra-archive@odin.ietf.org>; Mon, 5 Feb 2001 12:57:29 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id JAA18539
	for ietf-ipsra-bks; Mon, 5 Feb 2001 09:09:47 -0800 (PST)
Received: from gate.internaut.com ([64.38.134.108])
	by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA18533;
	Mon, 5 Feb 2001 09:09:46 -0800 (PST)
Received: from e1kj2 (e1kj2 [64.38.134.109])
	by gate.internaut.com (8.10.2/8.10.2) with SMTP id f15HBWR25080;
	Mon, 5 Feb 2001 09:11:33 -0800
From: "Bernard Aboba" <aboba@internaut.com>
To: "Robert Moskowitz" <rgm-sec@htt-consult.com>,
        "Sara Bitan" <sarab@radguard.com>, "IPSRA list" <ietf-ipsra@vpnc.org>
Cc: "Paul Hoffman" <phoffman@vpnc.org>
Subject: RE: Starting the decision on PIC vs. GetCert
Date: Mon, 5 Feb 2001 09:17:24 -0800
Message-ID: <OJEJKOMOEAKLMOILFCPJCEGAEAAA.aboba@internaut.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
In-Reply-To: <5.0.0.25.2.20010205094447.02a05b40@localhost>
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

>It would be easy for me to change GETCERT to use CMP and CMP Transport over
>HTTP making it fully compliant with PKIX standards, just not following the
>Appendix B ir senario.

Personally, I think this would be a good idea -- especially if EAP support
could be added as well. This would require protection of the EAP
conversation.



From owner-ietf-ipsra@mail.vpnc.org  Mon Feb  5 13:47:10 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA14171
	for <ipsra-archive@odin.ietf.org>; Mon, 5 Feb 2001 13:47:09 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id JAA19225
	for ietf-ipsra-bks; Mon, 5 Feb 2001 09:29:38 -0800 (PST)
Received: from htt-consult.com ([63.82.18.210])
	by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA19218;
	Mon, 5 Feb 2001 09:29:36 -0800 (PST)
Received: from rgm.htt-consult.com ([63.82.18.214]) by htt-consult.com ; Mon, 05 Feb 2001 12:36:50 -0500
Message-Id: <5.0.0.25.2.20010205123520.029da5b0@localhost>
X-Sender: rgm-sec@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.0
Date: Mon, 05 Feb 2001 12:36:10 -0500
To: "Bernard Aboba" <aboba@internaut.com>, "Sara Bitan" <sarab@radguard.com>,
        "IPSRA list" <ietf-ipsra@vpnc.org>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: RE: Starting the decision on PIC vs. GetCert
Cc: "Paul Hoffman" <phoffman@vpnc.org>
In-Reply-To: <OJEJKOMOEAKLMOILFCPJCEGAEAAA.aboba@internaut.com>
References: <5.0.0.25.2.20010205094447.02a05b40@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

At 09:17 AM 2/5/2001 -0800, Bernard Aboba wrote:
> >It would be easy for me to change GETCERT to use CMP and CMP Transport over
> >HTTP making it fully compliant with PKIX standards, just not following the
> >Appendix B ir senario.
>
>Personally, I think this would be a good idea -- especially if EAP support
>could be added as well. This would require protection of the EAP
>conversation.

this is a cert request, and CMP and CMC have the data structures for 
requesting certs.  Does EAP?




Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com



From owner-ietf-ipsra@mail.vpnc.org  Mon Feb  5 14:43:14 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA15796
	for <ipsra-archive@odin.ietf.org>; Mon, 5 Feb 2001 14:43:14 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id KAA23776
	for ietf-ipsra-bks; Mon, 5 Feb 2001 10:47:08 -0800 (PST)
Received: from gate.internaut.com ([64.38.134.108])
	by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA23770;
	Mon, 5 Feb 2001 10:47:07 -0800 (PST)
Received: from e1kj2 (e1kj2 [64.38.134.109])
	by gate.internaut.com (8.10.2/8.10.2) with SMTP id f15ImuR30447;
	Mon, 5 Feb 2001 10:48:56 -0800
From: "Bernard Aboba" <aboba@internaut.com>
To: "Robert Moskowitz" <rgm-sec@htt-consult.com>,
        "Sara Bitan" <sarab@radguard.com>, "IPSRA list" <ietf-ipsra@vpnc.org>
Cc: "Paul Hoffman" <phoffman@vpnc.org>
Subject: RE: Starting the decision on PIC vs. GetCert
Date: Mon, 5 Feb 2001 10:54:48 -0800
Message-ID: <OJEJKOMOEAKLMOILFCPJAEGGEAAA.aboba@internaut.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
In-Reply-To: <5.0.0.25.2.20010205123520.029da5b0@localhost>
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

>this is a cert request, and CMP and CMC have the data structures for 
>requesting certs.  Does EAP?

No. It's just a multi-round trip authentication "wrapper" (see
RFC 2284 for details). So you can only use EAP for verifying the
identity, but not for the cert request itself. However, since 
EAP doesn't provide a protected negotiation (unlike IKE or 
GSS_API SPNEGO), the EAP conversation should occur over a 
secure channel. 




From owner-ietf-ipsra@mail.vpnc.org  Mon Feb  5 15:25:12 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA16748
	for <ipsra-archive@odin.ietf.org>; Mon, 5 Feb 2001 15:25:11 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id LAA25249
	for ietf-ipsra-bks; Mon, 5 Feb 2001 11:30:05 -0800 (PST)
Received: from htt-consult.com ([63.82.18.210])
	by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA25242;
	Mon, 5 Feb 2001 11:30:03 -0800 (PST)
Received: from rgm.htt-consult.com ([63.82.18.214]) by htt-consult.com ; Mon, 05 Feb 2001 14:37:18 -0500
Message-Id: <5.0.0.25.2.20010205143548.029c4eb0@localhost>
X-Sender: rgm-sec@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.0
Date: Mon, 05 Feb 2001 14:36:28 -0500
To: "Bernard Aboba" <aboba@internaut.com>, "Sara Bitan" <sarab@radguard.com>,
        "IPSRA list" <ietf-ipsra@vpnc.org>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: RE: Starting the decision on PIC vs. GetCert
Cc: "Paul Hoffman" <phoffman@vpnc.org>
In-Reply-To: <OJEJKOMOEAKLMOILFCPJAEGGEAAA.aboba@internaut.com>
References: <5.0.0.25.2.20010205123520.029da5b0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

At 10:54 AM 2/5/2001 -0800, Bernard Aboba wrote:
> >this is a cert request, and CMP and CMC have the data structures for
> >requesting certs.  Does EAP?
>
>No. It's just a multi-round trip authentication "wrapper" (see
>RFC 2284 for details). So you can only use EAP for verifying the
>identity, but not for the cert request itself. However, since
>EAP doesn't provide a protected negotiation (unlike IKE or
>GSS_API SPNEGO), the EAP conversation should occur over a
>secure channel.

oh, yes.  remeMber the discussion.  perhaps you will help me with that part 
of GETCERT  :)



Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com



From owner-ietf-ipsra@mail.vpnc.org  Tue Feb  6 17:16:43 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA03687
	for <ipsra-archive@odin.ietf.org>; Tue, 6 Feb 2001 17:16:43 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id NAA05435
	for ietf-ipsra-bks; Tue, 6 Feb 2001 13:18:52 -0800 (PST)
Received: from rc_westlake.interdyn.com ([205.147.53.144])
	by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA05420;
	Tue, 6 Feb 2001 13:18:47 -0800 (PST)
Received: by RC_WESTLAKE with Internet Mail Service (5.5.2653.19)
	id <1F7PC4R8>; Tue, 6 Feb 2001 13:25:31 -0800
Received: from redcreek.com (host43.redcreek.com [209.218.26.43]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id 1F7LFDGR; Tue, 6 Feb 2001 13:25:12 -0800
Message-ID: <3A806B9D.51EF91D6@redcreek.com>
Date: Tue, 06 Feb 2001 13:24:45 -0800
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: Sara Bitan <sarab@radguard.com>
CC: IPSRA list <ietf-ipsra@vpnc.org>, Paul Hoffman <phoffman@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert
References: <3A7D16A5.C9F094D9@radguard.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

I haven't come down one way or the other yet, but have made the
following observations: if pic is chosen, the fact that it would be part
of the ipsec subsystem makes the problem of getting the cert into the
ipsec credential db transparent to the user. If getcert is used with a
browser interface, this is not the case (although I know getcert could
be implemented by the ipsec client code as well). Also, getcert may be
susceptible to any associated tls security issues. Comments, anyone?

Scott


From owner-ietf-ipsra@mail.vpnc.org  Wed Feb  7 15:58:34 2001
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA08625
	for <ipsra-archive@odin.ietf.org>; Wed, 7 Feb 2001 15:58:33 -0500 (EST)
Received: by ns.secondary.com (8.9.3/8.9.3) id LAA01781
	for ietf-ipsra-bks; Wed, 7 Feb 2001 11:44:51 -0800 (PST)
Received: from tholian.securitydynamics.com (tholian.securid.com [204.167.112.129])
	by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA01777
	for <ietf-ipsra@vpnc.org>; Wed, 7 Feb 2001 11:44:48 -0800 (PST)
Received: from [192.168.7.5] by tholian.securitydynamics.com
          via smtpd (for mail.vpnc.org [208.184.76.50]) with SMTP; 7 Feb 2001 19:50:48 UT
Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4])
	by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA28283;
	Wed, 7 Feb 2001 14:48:25 -0500 (EST)
Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21)
	id <1PPSN2AA>; Wed, 7 Feb 2001 14:48:25 -0500
Message-ID: <F504A8CEE925D411AF4A00508B8BE90A93E414@exna07.securitydynamics.com>
From: "Linn, John" <jlinn@rsasecurity.com>
To: "'Bernard Aboba'" <aboba@internaut.com>,
        Robert Moskowitz
	 <rgm-sec@htt-consult.com>,
        IPSRA list <ietf-ipsra@vpnc.org>
Subject: RE: Starting the decision on PIC vs. GetCert
Date: Wed, 7 Feb 2001 14:48:12 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

I'll second the motion that a change from SCEP to CMP would be a positive
step for GetCert. Per EAP, PIC's choice to layer on EAP was fortunate in
that it provides natively to support multi-step transactions where needed.
As such, it offers another means to incorporate this capability into
GetCert, alternative to the approaches that were discussed on the list at
and shortly after the San Diego meeting. 

--jl

> -----Original Message-----
> From: Bernard Aboba [mailto:aboba@internaut.com]
> Sent: Monday, February 05, 2001 12:17 PM
> To: Robert Moskowitz; Sara Bitan; IPSRA list
> Cc: Paul Hoffman
> Subject: RE: Starting the decision on PIC vs. GetCert
> 
> 
> >It would be easy for me to change GETCERT to use CMP and CMP 
> Transport over
> >HTTP making it fully compliant with PKIX standards, just not 
> following the
> >Appendix B ir senario.
> 
> Personally, I think this would be a good idea -- especially 
> if EAP support
> could be added as well. This would require protection of the EAP
> conversation.
> 


From owner-ietf-ipsra@mail.vpnc.org  Fri Feb  9 20:02:46 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA05431
	for <ipsra-archive@odin.ietf.org>; Fri, 9 Feb 2001 20:02:46 -0500 (EST)
Received: (from majordomo@localhost)
	by above.proper.com (8.9.3/8.9.3) id QAA13020
	for ietf-ipsra-bks; Fri, 9 Feb 2001 16:10:03 -0800 (PST)
Received: from NEPTUNE.zucotto.com ([216.95.209.154])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA12627;
	Fri, 9 Feb 2001 16:02:42 -0800 (PST)
Received: by NEPTUNE.zucotto.com with Internet Mail Service (5.5.2650.21)
	id <CTQSWK33>; Fri, 9 Feb 2001 19:02:32 -0500
Message-ID: <FC0292EA4D13D34EA2E5FC728D70A8E3078C23@NEPTUNE.zucotto.com>
From: Kulwinder Atwal <kulwinder.atwal@zucotto.com>
To: "'zeroconf@merit.edu'" <zeroconf@merit.edu>, seamoby@cdma-2000.org,
        MOBILE-IP@STANDARDS.NORTELNETWORKS.COM,
        "'srvloc@srvloc.org'"
	 <srvloc@srvloc.org>,
        "'aaa-wg@merit.edu'" <aaa-wg@merit.edu>,
        "'manet@itd.nrl.navy.mil'" <manet@itd.nrl.navy.mil>,
        "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>,
        "'ipsec-policy@vpnc.org'" <ipsec-policy@vpnc.org>,
        "'ietf-ipsra@vpnc.org'" <ietf-ipsra@vpnc.org>,
        "'ietf-sacred@imc.org'"
	 <ietf-sacred@imc.org>,
        "'enum@ietf.org'" <enum@ietf.org>,
        "'sigtran@standards.nortelnetworks.com'"
	 <sigtran@STANDARDS.NORTELNETWORKS.COM>,
        "'ietf@ietf.org'"
	 <ietf@ietf.org>,
        "'IETF-Announce@ietf.org'" <IETF-Announce@ietf.org>,
        "'BLUETOOTH-BOF@mailbag.cps.intel.com'"
	 <BLUETOOTH-BOF@mailbag.cps.intel.com>
Cc: "'Thomas Narten'" <narten@raleigh.ibm.com>,
        Akers Ron-WRA001
	 <Ron.Akers@motorola.com>
Subject: BOF:   IP over Bluetooth for 50th Meeting of IETF. 
Date: Fri, 9 Feb 2001 19:02:30 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>



Myself and Ron Akers have requested an IP over Bluetooth BOF for the 50th
Meeting of the IETF in Minneapolis.  The BOF will discuss the creation of a
IETF Working Group to investigate the most open and efficient way to place
IP over the Bluetooth Host Controller.

Current work in this area within the Bluetooth SIG concentrates on defining
IP over a set of other lower-layer stacks. Currently there are two options
defined by the Bluetoth SIG:

 Option 1: IP/PPP/RFCOM/L2CAP/Host Controller

 Option 2: IP/PAN Profile/L2CAP/Host Controller
 	   (where the PAN Profile is a Bluetooth SIG work in progress)
 

We are proposing that the IETF form a WG to define a more efficient way of
running IP over Bluetooth. In particular, IP would run
 over an IETF protocol over the Host Controller without L2CAP.  This option
may be adopted by the Bluetooth SIG at a later date as a Profile.  Since all
Bluetooth SIG Profiles are optional, a customer may choose any combination
of Profiles in a final product.  Further, since Bluetooth Working Groups
have it in their mandate to adopt protocols from other standards making
bodies such as the IETF, there exists a clear path for IETF work to be
adopted by the Bluetooth SIG.
 
Whereas the last BOF was informational only and organized by the Bluetooth
SIG itself, the objective of this BOF will be to foster innovation, and
speed progress by placing IP related protocol development wihin the IETF and
Bluetooth-specific protocol development
 within the Bluetooth SIG, by developing an IP over Bluetooth IETF Working
Group.
 
This effort will define its own way of running IP over Bluetooth, by
carefully selecting a set of Bluetooth protocols (freely available from
published specifications at
http://www.bluetooth.com/developer/specification/specification.asp) on which
to build IP.

Please join myself, Kulwinder Atwal, and Ron Akers on the pre-BOF mailing
list:
 
This site runs version 2.0.1 of the "Mailman" list manager.  
The following describes commands you can send to get
information about, and control your subscription to the lists at
this site. Note that much of the following can also be 
accomplished via the World Wide Web, at:

    http://internet.motlabs.com/mailman/listinfo/bluetooth

In particular, you can use the Web site to have your password sent to
your delivery address.

Email commands can be in the subject line or in the body 
of the message. The commands should be set to the following address:

  <bluetooth-request@internet.motlabs.com>

About the descriptions - words in "<>"s signify REQUIRED items and
words in "[]" denote OPTIONAL items.  Do not include the "<>"s or
"[]"s when you use the commands.

The following commands are valid:

    subscribe [password] [digest-option] [address=<address>]
        Subscribe to the mailing list.  Your password must be given to
        unsubscribe or change your options.  When you subscribe to the
        list, you'll be reminded of your password periodically.
        'digest-option' may be either: 'nodigest' or 'digest' (no
        quotes!)  If you wish to subscribe an address other than the
        address you send this request from, you may specify
        "address=<email address>" (no brackets around the email
        address, no quotes!)

    unsubscribe <password> [address]
        Unsubscribe from the mailing list.  Your password must match
        the one you gave when you subscribed.  If you are trying to
        unsubscribe from a different address than the one you
        subscribed from, you may specify it in the 'address' field.

    who
        See everyone who is on this mailing list.

    info
        View the introductory information for this list.

    lists
        See what mailing lists are run by this Mailman server.

    help
        This message.

    set <option> <on|off> <password> 
        Turn on or off list options.  Valid options are:

        ack:
            Turn this on to receive acknowledgement mail when you send
            mail to the list.

        digest:
            Receive mail from the list bundled together instead of one
            post at a time.

        plain:
            Get plain-text, not MIME-compliant, digests (only if
            digest is set)

        nomail:
            Stop delivering mail.  Useful if you plan on taking a
            short vacation.

        norcv:
            Turn this on to NOT receive posts you send to the list.
            Does not work if digest is set.

        hide:
            Conceals your address when people look at who is on this
            list.


    options
        Show the current values of your list options.

    password <oldpassword> <newpassword> 
        Change your list password.
    
    end or --
       Stop processing commands (good to do if your mailer
       automatically adds a signature file - it'll save you from a lot
       of cruft).


Commands should be sent to bluetooth-request@internet.motlabs.com

Questions and concerns for the attention of a person should be sent to

    bluetooth-admin@internet.motlabs.com



Kulwinder Atwal
Bluetooth Design
Zucotto Wireless Inc.
kulwinder.atwal@zucotto.com

------------------------------------------------------------
Ron Akers                               Voice :(847)576-7928
Networks and Infrastructure Research      FAX :(847)576-3240
Motorola Laboratories           email:ron.akers@motorola.com 
1301 Algonquin Rd, Rm 2246
Schaumburg, IL. 60196
------------------------------------------------------------


From owner-ietf-ipsra@mail.vpnc.org  Sun Feb 11 07:48:02 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA08168
	for <ipsra-archive@odin.ietf.org>; Sun, 11 Feb 2001 07:48:02 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id EAA14504
	for ietf-ipsra-bks; Sun, 11 Feb 2001 04:18:46 -0800 (PST)
Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39])
	by above.proper.com (8.9.3/8.9.3) with SMTP id EAA14494
	for <ietf-ipsra@vpnc.org>; Sun, 11 Feb 2001 04:18:44 -0800 (PST)
Received: (qmail 31078 invoked by uid 0); 11 Feb 2001 12:18:44 -0000
Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47)
  by dfmail.f-secure.com with SMTP; 11 Feb 2001 12:18:44 -0000
Received: from dfintra.f-secure.com ([194.197.29.8]:4834) (HELO dfintra.f-secure.com)
 by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release)
 with SMTP; Sun, 11 Feb 2001 12:21:22 -0000
Received: (qmail 11639 invoked from network); 11 Feb 2001 12:18:42 -0000
Received: from unknown (HELO F-Secure.com) (10.128.148.1)
  by dfintra.f-secure.com with SMTP; 11 Feb 2001 12:18:42 -0000
Message-ID: <3A868317.C0E8291F@F-Secure.com>
Date: Sun, 11 Feb 2001 14:18:31 +0200
From: Ari Huttunen <Ari.Huttunen@f-secure.com>
Organization: F-Secure Corporation
X-Mailer: Mozilla 4.76 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Scott G. Kelly" <skelly@redcreek.com>
CC: Sara Bitan <sarab@radguard.com>, IPSRA list <ietf-ipsra@vpnc.org>,
        Paul Hoffman <phoffman@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert
References: <3A7D16A5.C9F094D9@radguard.com> <3A806B9D.51EF91D6@redcreek.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit


"Scott G. Kelly" wrote:
> 
> I haven't come down one way or the other yet, but have made the
> following observations: if pic is chosen, the fact that it would be part
> of the ipsec subsystem makes the problem of getting the cert into the
> ipsec credential db transparent to the user. If getcert is used with a
> browser interface, this is not the case (although I know getcert could
> be implemented by the ipsec client code as well). Also, getcert may be
> susceptible to any associated tls security issues. Comments, anyone?
> 
> Scott

If the solution is too tightly bound to the IKE implementation, deployment
of the solution will require that all IKE implementations used by the corporation
be changed. On the other hand, a separate client product pushing a cert to an 
OS cert store and a separate authentication server would be more easily deployable.

Ari

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security


From owner-ietf-ipsra@mail.vpnc.org  Sun Feb 11 07:49:00 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA08180
	for <ipsra-archive@odin.ietf.org>; Sun, 11 Feb 2001 07:49:00 -0500 (EST)
Received: (from majordomo@localhost)
	by above.proper.com (8.9.3/8.9.3) id EAA14088
	for ietf-ipsra-bks; Sun, 11 Feb 2001 04:07:57 -0800 (PST)
Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39])
	by above.proper.com (8.9.3/8.9.3) with SMTP id EAA14082
	for <ietf-ipsra@vpnc.org>; Sun, 11 Feb 2001 04:07:52 -0800 (PST)
Received: (qmail 30934 invoked by uid 0); 11 Feb 2001 12:07:47 -0000
Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47)
  by dfmail.f-secure.com with SMTP; 11 Feb 2001 12:07:47 -0000
Received: from dfintra.f-secure.com ([194.197.29.8]:4808) (HELO dfintra.f-secure.com)
 by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release)
 with SMTP; Sun, 11 Feb 2001 12:10:25 -0000
Received: (qmail 10786 invoked from network); 11 Feb 2001 12:07:44 -0000
Received: from unknown (HELO F-Secure.com) (10.128.148.1)
  by dfintra.f-secure.com with SMTP; 11 Feb 2001 12:07:44 -0000
Message-ID: <3A868085.95BC3980@F-Secure.com>
Date: Sun, 11 Feb 2001 14:07:33 +0200
From: Ari Huttunen <Ari.Huttunen@f-secure.com>
Organization: F-Secure Corporation
X-Mailer: Mozilla 4.76 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Sara Bitan <sarab@radguard.com>
CC: IPSRA list <ietf-ipsra@vpnc.org>, Paul Hoffman <phoffman@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert
References: <3A7D16A5.C9F094D9@radguard.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

I like the ability mentioned in PIC to locate the Authentication Server
and the GW in different locations, in an attempt to provide resistance
to DoS attacks against the GW. This capability should also be possible
in Getcert.

As I see DoS resistance useful even when legacy authentication as such
is not the primary issue, I also like the ability to do N-factor authentication.
In such a scenario, the chosen protocol could be deployed to provide DoS
resistance to GW even though all the certs etc. would be available to connect
the client to the GW via standard IKE. 

I don't believe using preshared keying, with a PSK given by the AS to connect
to the GW is such a good idea. There will likely be more management problems
created with this, in particular for the AS<->GW connection, than the benefit
obtained by the reduced amount of work per connection that the GW must do.
Instead of AS giving a PSK to client, this situation should be solved by
creating a more DoS resistant IKE mode (base mode) or by using Kerberos and
the method to be developed by KINK to connect to the GW. Naturally these
issues are not relevant for this WG, but might have some relevance as to which
candidate is chosen.

I would also like to see it possible for the AS to provide the client
a "policy blob". The contents of this "policy blob" would not be defined by
this WG, but possibly by IPSP WG. This would make it possible for the client
to be just configured to contact the AS. The AS would then tell the client
as to what actual GW the client should contact, maybe based on knowledge of
which GWs have least load at that point, achieving load-balancing. (Besides, the
reality will be that this is implemented as vendor specific methods, even
though not specified. So why not specify it from the start?)

I understand that these issues are not at the core of what's needed, but both
candidates seem to provide for the core needs anyway. So, I would like to cast 
my vote on the candidate that has more future potential. When legacy authentication
is being solved satisfactorily at some future point, the chosen candidate would
still have some reason for existance.

Ari

Sara Bitan wrote:
> 
> Hello all!
> 
> We would like to choose one candidate between PIC and GetCert, and to have
> progress with the chosen one.
> We will have a short (two weeks) discussion on the list, followed by
> a straw poll.
> 
> Here is a general summary that I hope will help us start the discussion.
> 
> These are the general requirements PIC and GetCert were devised to answer:
> 
> (From draft-ietf-ipsra-reqmts-03.txt)
>   " In general, proposed IPsec remote access mechanisms should meet the
>    following goals:
>      o should provide direct support for legacy user authentication
>        systems such as RADIUS
>      o should encourage migration from existing low-entropy
>        password-based systems to more secure authentication systems
>      o if legacy support cannot be provided without some sort of
>        migration, the impact of such migration should be minimized
>      o user authentication information must be protected against
>        eavesdropping and replay (including the user identity)
>      o single sign-on capability should be provided in configurations
>        employing load-balancing and/or redundancy
>      o n-factor authentication mechanisms should be supported"
> 
> Both PIC and GetCert answer the first five requirements. As noted in a recent
> discussion on the list, PIC can be modified to answer the last requirement.
> Both provide server side authenticated secure transport for the user
> authentication data, and for certificate enrollment.
> GetCert is using SSL/TLS as a secure transport, while PIC is using ISAKMP as a
> secure transport, created by server authenticated DH.
> (Hugo in an e-mail to the list, noted that PIC can be extended to create
> mutually authenticated transport)
> GetCert uses HTTP as the legacy authentication transport, while PIC is using
> EAP.
> GetCert uses SCEP for certificate enrollment, while PIC is using dedicated
> CREDENTIAL-REQUEST and CREDENTIAL payloads.
> 
> I urge you all to please read the two drafts, and share your opinion with the
> list. Please speak soon, so we can get as much discussion
> as possible before we start the straw poll.
> 
>  Thanks, Sara

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security


From owner-ietf-ipsra@mail.vpnc.org  Sun Feb 11 08:40:09 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA08687
	for <ipsra-archive@odin.ietf.org>; Sun, 11 Feb 2001 08:40:08 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id FAA15736
	for ietf-ipsra-bks; Sun, 11 Feb 2001 05:05:31 -0800 (PST)
Received: from frigg.inter.net.il (frigg.inter.net.il [192.114.186.16])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA15731;
	Sun, 11 Feb 2001 05:05:28 -0800 (PST)
Received: from 1david.tadlys ([192.116.242.18])
	by frigg.inter.net.il (Mirapoint)
	with SMTP id AJR08293;
	Sun, 11 Feb 2001 14:47:24 +0200 (IST)
Message-ID: <004f01c09429$3dceb1e0$589618ac@tadlys>
From: "David Almer zahav" <almer@tadlys.com>
To: <zeroconf@merit.edu>, <seamoby@cdma-2000.org>,
        <MOBILE-IP@marvin.corpeast.baynetworks.com>, <srvloc@srvloc.org>,
        <aaa-wg@merit.edu>, <manet@itd.nrl.navy.mil>,
        <ipsec@lists.tislabs.com>, <ipsec-policy@vpnc.org>,
        <ietf-ipsra@vpnc.org>, <ietf-sacred@imc.org>, <enum@ietf.org>,
        <sigtran@marvin.corpeast.baynetworks.com>, <ietf@ietf.org>,
        <IETF-Announce@ietf.org>, <BLUETOOTH-BOF@mailbag.cps.intel.com>
Cc: "David Almer @tadlys" <almer@tadlys.com>
Subject: BOF: IP over Bluetooth for 50th Meeting of IETF.
Date: Sun, 11 Feb 2001 14:49:15 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_003A_01C09439.CE0A4480"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

This is a multi-part message in MIME format.

------=_NextPart_000_003A_01C09439.CE0A4480
Content-Type: text/plain;
	charset="windows-1255"
Content-Transfer-Encoding: quoted-printable

Gentlemen,

Please join myself, David Almer on the pre-BOF mailing list.

Regards,
David Almer
Director Systems Engineering
Tadlys Ltd.
7 Oppenheimer St., Rehovot, Israel
tel:    972 - 8 - 936 6641
email: almer@tadlys.com
=20


------=_NextPart_000_003A_01C09439.CE0A4480
Content-Type: text/html;
	charset="windows-1255"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dwindows-1255" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Gentlemen,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Please join myself, David Almer on the =
pre-BOF=20
mailing list.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><BR>Regards,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>David Almer</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Director Systems =
Engineering</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Tadlys&nbsp;Ltd.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>7 Oppenheimer St., Rehovot, =
Israel</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>tel:&nbsp;&nbsp;&nbsp; 972 - 8 - 936=20
6641</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>email:=20
almer@tadlys.com<BR>&nbsp;<BR></DIV></FONT></BODY></HTML>

------=_NextPart_000_003A_01C09439.CE0A4480--



From owner-ietf-ipsra@mail.vpnc.org  Sun Feb 11 08:53:17 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA08812
	for <ipsra-archive@odin.ietf.org>; Sun, 11 Feb 2001 08:53:17 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id FAA16560
	for ietf-ipsra-bks; Sun, 11 Feb 2001 05:23:46 -0800 (PST)
Received: from rip.psg.com (exim@rip.psg.com [147.28.0.39])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA15876;
	Sun, 11 Feb 2001 05:19:34 -0800 (PST)
Received: from randy by rip.psg.com with local (Exim 3.16 #1)
	id 14RwNr-000MOk-00; Sun, 11 Feb 2001 05:17:43 -0800
From: Randy Bush <randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: "David Almer zahav" <almer@tadlys.com>
Cc: <zeroconf@merit.edu>, <seamoby@cdma-2000.org>,
        <MOBILE-IP@marvin.corpeast.baynetworks.com>, <srvloc@srvloc.org>,
        <aaa-wg@merit.edu>, <manet@itd.nrl.navy.mil>,
        <ipsec@lists.tislabs.com>, <ipsec-policy@vpnc.org>,
        <ietf-ipsra@vpnc.org>, <ietf-sacred@imc.org>, <enum@ietf.org>,
        <sigtran@marvin.corpeast.baynetworks.com>, <ietf@ietf.org>,
        <IETF-Announce@ietf.org>, <BLUETOOTH-BOF@mailbag.cps.intel.com>
Subject: Re: BOF: IP over Bluetooth for 50th Meeting of IETF.
References: <004f01c09429$3dceb1e0$589618ac@tadlys>
Message-Id: <E14RwNr-000MOk-00@rip.psg.com>
Date: Sun, 11 Feb 2001 05:17:43 -0800
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

> Gentlemen,

> Please join myself, David Almer on the pre-BOF mailing list.

are women not welcome?

randy


From owner-ietf-ipsra@mail.vpnc.org  Sun Feb 11 18:04:30 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA13379
	for <ipsra-archive@odin.ietf.org>; Sun, 11 Feb 2001 18:04:30 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id OAA27907
	for ietf-ipsra-bks; Sun, 11 Feb 2001 14:10:59 -0800 (PST)
Received: from NEPTUNE.zucotto.com ([216.95.209.154])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA27694;
	Sun, 11 Feb 2001 14:06:47 -0800 (PST)
Received: by NEPTUNE.zucotto.com with Internet Mail Service (5.5.2650.21)
	id <CTQSWK83>; Sun, 11 Feb 2001 17:06:34 -0500
Message-ID: <FC0292EA4D13D34EA2E5FC728D70A8E3078C30@NEPTUNE.zucotto.com>
From: Kulwinder Atwal <kulwinder.atwal@zucotto.com>
To: "'Randy Bush'" <randy@psg.com>, David Almer zahav <almer@tadlys.com>
Cc: zeroconf@merit.edu, seamoby@cdma-2000.org,
        MOBILE-IP@marvin.corpeast.baynetworks.com, srvloc@srvloc.org,
        aaa-wg@merit.edu, manet@itd.nrl.navy.mil, ipsec@lists.tislabs.com,
        ipsec-policy@vpnc.org, ietf-ipsra@vpnc.org, ietf-sacred@imc.org,
        enum@ietf.org, sigtran@marvin.corpeast.baynetworks.com, ietf@ietf.org,
        IETF-Announce@ietf.org, BLUETOOTH-BOF@mailbag.cps.intel.com
Subject: RE: [seamoby] Re: BOF: IP over Bluetooth for 50th Meeting of IETF
	.
Date: Sun, 11 Feb 2001 17:06:26 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

Everyone's invited!  Welcome.

- Kulwinder Atwal.


> -----Original Message-----
> From: Randy Bush [mailto:randy@psg.com]
> Sent: Sunday, February 11, 2001 8:18 AM
> To: David Almer zahav
> Cc: zeroconf@merit.edu; seamoby@cdma-2000.org;
> MOBILE-IP@marvin.corpeast.baynetworks.com; srvloc@srvloc.org;
> aaa-wg@merit.edu; manet@itd.nrl.navy.mil; ipsec@lists.tislabs.com;
> ipsec-policy@vpnc.org; ietf-ipsra@vpnc.org; ietf-sacred@imc.org;
> enum@ietf.org; sigtran@marvin.corpeast.baynetworks.com; ietf@ietf.org;
> IETF-Announce@ietf.org; BLUETOOTH-BOF@mailbag.cps.intel.com
> Subject: [seamoby] Re: BOF: IP over Bluetooth for 50th 
> Meeting of IETF.
> 
> 
> > Gentlemen,
> 
> > Please join myself, David Almer on the pre-BOF mailing list.
> 
> are women not welcome?
> 
> randy
> 


From owner-ietf-ipsra@mail.vpnc.org  Mon Feb 12 00:17:54 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id AAA17817
	for <ipsra-archive@odin.ietf.org>; Mon, 12 Feb 2001 00:17:53 -0500 (EST)
Received: (from majordomo@localhost)
	by above.proper.com (8.9.3/8.9.3) id UAA06062
	for ietf-ipsra-bks; Sun, 11 Feb 2001 20:34:12 -0800 (PST)
Received: from RNR-DB. ([211.106.66.239])
	by above.proper.com (8.9.3/8.9.3) with SMTP id UAA06038
	for <ietf-ipsra@vpnc.org>; Sun, 11 Feb 2001 20:32:50 -0800 (PST)
From: toner3@yep.com
Received: from 211.106.66.239 by RNR-DB. (SMI-8.6/SMI-SVR4)
	id NAA28132; Mon, 12 Feb 2001 13:16:32 +0900
Message-Id: <200102120416.NAA28132@RNR-DB.>
To: friend@republic.com
Date: Sun, 11 Feb 01 03:43:18 EST
Subject: toner supplies
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

PLEASE FORWARD TO THE PERSON
RESPONSIBLE FOR PURCHASING
YOUR LASER PRINTER SUPPLIES


**** VORTEX  SUPPLIES ****

-SPECIALS OF THE DAY ON LASER TONER SUPPLIES AT DISCOUNT PRICES--

LASER PRINTER TONER CARTRIDGES
COPIER AND FAX CARTRIDGES

WE ARE -->THE<-- PLACE TO BUY YOUR TONER CARTRIDGES BECAUSE YOU
SAVE UP TO 30% FROM OFFICE DEPOT'S, QUILL'S OR OFFICE MAX'S EVERY DAY
LOW PRICES

ORDER BY PHONE:1-888-288-9043
ORDER BY FAX: 1-888-977-1577
CUSTOMER SERVICE: 1-888-248-2015
E-MAIL REMOVAL LINE: 1-888-248-4930 

UNIVERSITY AND/OR SCHOOL PURCHASE ORDERS WELCOME. (NO CREDIT APPROVAL REQUIRED)
ALL OTHER PURCHASE ORDER REQUESTS REQUIRE CREDIT APPROVAL.

PAY BY CHECK (C.O.D), CREDIT CARD OR PURCHASE ORDER (NET 30 DAYS).


IF YOUR ORDER IS BY CREDIT CARD PLEASE LEAVE YOUR CREDIT CARD # PLUS EXPIRATION DATE. 
IF YOUR ORDER IS BY PURCHASE ORDER LEAVE YOUR SHIPPING/BILLING ADDRESSES AND YOUR P.O. NUMBER
NO SHIPPING CHARGES FOR ORDERS $49 OR OVER
ADD $4.75 FOR ORDERS UNDER $49.
C.O.D. ORDERS ADD $4.5 TO SHIPPING CHARGES.

FOR THOSE OF YOU WHO REQUIRE MORE INFORMATION ABOUT OUR COMPANY
INCUDING FEDERAL TAX ID NUMBER, CLOSEST SHIPPING OR CORPORATE ADDRESS IN THE
CONTINENTAL U.S.  OR  FOR CATALOG  REQUESTS PLEASE CALL OUR CUSTOMER
SERVICE LINE  1-888-248-2015 
 

OUR NEW, LASER PRINTER TONER CARTRIDGE, PRICiES ARE  AS FOLLOWS: 

(PLEASE ORDER BY PAGE NUMBER AND/OR ITEM NUMBER)
                                 
HEWLETT PACKARD: (ON PAGE 2)
                                   
ITEM #1  LASERJET SERIES  4L,4P (74A)------------------------$44
ITEM #2  LASERJET SERIES  1100 (92A)-------------------------$44
ITEM #3  LASERJET SERIES  2 (95A)-------------------------------$39
ITEM #4  LASERJET SERIES  2P (75A)-----------------------------$54 
ITEM #5  LASERJET SERIES  5P,6P,5MP, 6MP (3903A)--$44
ITEM #6  LASERJET SERIES  5SI, 5000 (29A)------------------$95
ITEM #7  LASERJET SERIES  2100 (96A)-------------------------$74
ITEM #8  LASERJET SERIES  8100 (82X)-----------------------$145
ITEM #9  LASERJET SERIES  5L/6L (3906A0------------------$35
ITEM #10 LASERJET SERIES  4V-------------------------------------$95
ITEM #11 LASERJET SERIES 4000 (27X)-------------------------$72
ITEM #12 LASERJET SERIES 3SI/4SI (91A)--------------------$54
ITEM #13 LASERJET SERIES 4, 4M, 5,5M-----------------------$49

HEWLETT PACKARD FAX (ON PAGE 2)

ITEM #14 LASERFAX 500, 700 (FX1)----------$49
ITEM #15  LASERFAX 5000,7000 (FX2)------$54
ITEM #16  LASERFAX (FX3)------------------------$59
ITEM #17  LASERFAX (FX4)------------------------$54

LEXMARK/IBM (ON PAGE 3)

OPTRA 4019, 4029 HIGH YIELD---------------$89
OPTRA R, 4039, 4049 HIGH YIELD---------$105
OPTRA E----------------------------------------------------$59
OPTRA N--------------------------------------------------$115
OPTRA S--------------------------------------------------$165
-
EPSON (ON PAGE 4)

ACTION LASER 7000,7500,8000,9000-------$105
ACTION LASER 1000,1500-------------------------$105

CANON PRINTERS (ON PAGE 5)

 PLEASE CALL FOR MODELS AND UPDATED PRICES
 FOR CANON PRINTER CARTRIDGES

PANASONIC (0N PAGE 7)

NEC SERIES 2 MODELS 90 AND 95----------$105

APPLE (0N PAGE 8)

LASER WRITER PRO 600 or 16/600------------$49 
LASER WRITER SELECT 300,320,360---------$74
LASER WRITER 300 AND 320----------------------$54
LASER WRITER NT, 2NT------------------------------$54
LASER WRITER 12/640--------------------------------$79



CANON FAX (ON PAGE 9)

LASERCLASS 4000 (FX3)---------------------------$59
LASERCLASS 5000,6000,7000 (FX2)---------$54
LASERFAX 5000,7000 (FX2)----------------------$54
LASERFAX 8500,9000 (FX4)----------------------$54


CANON COPIERS (PAGE 10)

PC 3, 6RE, 7 AND 11 (A30)---------------------$69
PC 300,320,700,720 and 760 (E-40)--------$89

IF YOUR CARTRIDGE IS NOT LISTED CALL CUSTOMER SERVICE AT 1-888-248-2015 

90 DAY UNLIMITED WARRANTY INCLUDED ON ALL PRODUCTS.

ALL TRADEMARKS AND BRAND NAMES LISTED ABOVE ARE PROPERTY OF THE 
RESPECTIVE HOLDERS AND USED FOR DESCRIPTIVE PURPOSES ONLY.



From owner-ietf-ipsra@mail.vpnc.org  Mon Feb 12 05:51:58 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id FAA03486
	for <ipsra-archive@odin.ietf.org>; Mon, 12 Feb 2001 05:51:57 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id CAA08392
	for ietf-ipsra-bks; Mon, 12 Feb 2001 02:06:47 -0800 (PST)
Received: from mimesweeper.radioscape.com (mail.radioscape.com [193.122.23.66])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA08388;
	Mon, 12 Feb 2001 02:06:44 -0800 (PST)
Received: from euler.radioscape.com (unverified) by mimesweeper.radioscape.com
 (Content Technologies SMTPRS 4.2.1) with ESMTP id <T51ae8647d20a000006102@mimesweeper.radioscape.com>;
 Mon, 12 Feb 2001 10:06:26 +0000
Received: by EULER with Internet Mail Service (5.5.2653.19)
	id <C03YGBMN>; Mon, 12 Feb 2001 09:58:38 -0000
Message-ID: <3190BC9FA8F6D3119508009027E5B33E1CDBF6@MORSE>
From: "Thakare, Kiran" <KThakare@radioscape.com>
To: "'Randy Bush'" <randy@PSG.COM>, David Almer zahav <almer@tadlys.com>
Cc: zeroconf@merit.edu, seamoby@cdma-2000.org,
        MOBILE-IP@marvin.corpeast.baynetworks.com, srvloc@srvloc.org,
        aaa-wg@merit.edu, manet@itd.nrl.navy.mil, ipsec@lists.tislabs.com,
        ipsec-policy@vpnc.org, ietf-ipsra@vpnc.org, ietf-sacred@imc.org,
        enum@ietf.org, sigtran@marvin.corpeast.baynetworks.com, ietf@ietf.org,
        IETF-Announce@ietf.org, BLUETOOTH-BOF@mailbag.cps.intel.com
Subject: RE: BOF: IP over Bluetooth for 50th Meeting of IETF.
Date: Mon, 12 Feb 2001 10:06:26 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

Dear All (whatever gender u amy carry)

Please join myself 'Ms Kiran Thakare' for pre-BOF mailing list.

Thanks
Kiran

-----Original Message-----
From: Randy Bush [mailto:randy@PSG.COM]
Sent: 11 February 2001 13:18
To: David Almer zahav
Cc: zeroconf@merit.edu; seamoby@cdma-2000.org;
MOBILE-IP@marvin.corpeast.baynetworks.com; srvloc@srvloc.org;
aaa-wg@merit.edu; manet@itd.nrl.navy.mil; ipsec@lists.tislabs.com;
ipsec-policy@vpnc.org; ietf-ipsra@vpnc.org; ietf-sacred@imc.org;
enum@ietf.org; sigtran@marvin.corpeast.baynetworks.com; ietf@ietf.org;
IETF-Announce@ietf.org; BLUETOOTH-BOF@mailbag.cps.intel.com
Subject: Re: BOF: IP over Bluetooth for 50th Meeting of IETF.


> Gentlemen,

> Please join myself, David Almer on the pre-BOF mailing list.

are women not welcome?

randy


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
postmaster@radioscape.com.

This footnote also confirms that this email message has been scanned
for the presence of computer viruses known at the time of sending.

www.radioscape.com
**********************************************************************


From owner-ietf-ipsra@mail.vpnc.org  Mon Feb 12 12:46:01 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA16167
	for <ipsra-archive@odin.ietf.org>; Mon, 12 Feb 2001 12:46:00 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id IAA08848
	for ietf-ipsra-bks; Mon, 12 Feb 2001 08:54:15 -0800 (PST)
Received: from rc_westlake.interdyn.com ([205.147.53.144])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA08842
	for <ietf-ipsra@vpnc.org>; Mon, 12 Feb 2001 08:54:14 -0800 (PST)
Received: by RC_WESTLAKE with Internet Mail Service (5.5.2653.19)
	id <1F7PCYZV>; Mon, 12 Feb 2001 08:53:46 -0800
Received: from redcreek.com (host43.redcreek.com [209.218.26.43]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id 142TK4D2; Mon, 12 Feb 2001 08:53:36 -0800
Message-ID: <3A881519.AE1A2864@redcreek.com>
Date: Mon, 12 Feb 2001 08:53:45 -0800
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: Ari Huttunen <Ari.Huttunen@f-secure.com>
CC: IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert
References: <3A7D16A5.C9F094D9@radguard.com> <3A806B9D.51EF91D6@redcreek.com> <3A868317.C0E8291F@F-Secure.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Hi Ari,

Comments below...

Ari Huttunen wrote:
> 
> "Scott G. Kelly" wrote:
> >
> > I haven't come down one way or the other yet, but have made the
> > following observations: if pic is chosen, the fact that it would be part
> > of the ipsec subsystem makes the problem of getting the cert into the
> > ipsec credential db transparent to the user. If getcert is used with a
> > browser interface, this is not the case (although I know getcert could
> > be implemented by the ipsec client code as well). Also, getcert may be
> > susceptible to any associated tls security issues. Comments, anyone?
> >
> > Scott
> 
> If the solution is too tightly bound to the IKE implementation, deployment
> of the solution will require that all IKE implementations used by the corporation
> be changed. On the other hand, a separate client product pushing a cert to an
> OS cert store and a separate authentication server would be more easily deployable.
> 

The fact that pic uses an ike variant doesn't mean it is tightly bound
to the ike implementation, necessarily. For example, a pic
implementation need not run on the headend, meaning that ike
implementation would not change at all. Where it *would* require
widespread change would be in the remote access clients, but these
systems have to be modified either way.

Scott


From owner-ietf-ipsra@mail.vpnc.org  Mon Feb 12 14:10:35 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA18862
	for <ipsra-archive@odin.ietf.org>; Mon, 12 Feb 2001 14:10:34 -0500 (EST)
Received: (from majordomo@localhost)
	by above.proper.com (8.9.3/8.9.3) id KAA13571
	for ietf-ipsra-bks; Mon, 12 Feb 2001 10:28:07 -0800 (PST)
Received: from NEPTUNE.zucotto.com ([216.95.209.154])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA13268;
	Mon, 12 Feb 2001 10:25:00 -0800 (PST)
Received: by NEPTUNE.zucotto.com with Internet Mail Service (5.5.2650.21)
	id <CTQSWMHL>; Mon, 12 Feb 2001 13:24:47 -0500
Message-ID: <FC0292EA4D13D34EA2E5FC728D70A8E33935CA@NEPTUNE.zucotto.com>
From: Kulwinder Atwal <kulwinder.atwal@zucotto.com>
To: "'James Kempf'" <kempf@heliopolis.Eng.Sun.COM>, zeroconf@merit.edu,
        seamoby@cdma-2000.org, MOBILE-IP@standards.nortelnetworks.com,
        srvloc@srvloc.org, aaa-wg@merit.edu, manet@itd.nrl.navy.mil,
        ipsec@lists.tislabs.com, ipsec-policy@vpnc.org, ietf-ipsra@vpnc.org,
        ietf-sacred@imc.org, enum@ietf.org,
        sigtran@standards.nortelnetworks.com, ietf@ietf.org,
        IETF-Announce@ietf.org, BLUETOOTH-BOF@mailbag.cps.intel.com,
        kulwinder.atwal@herc.zucotto.com
Cc: narten@raleigh.ibm.com, Ron.Akers@motorola.com
Subject: RE: [seamoby] BOF:   IP over Bluetooth for 50th Meeting of IETF. 
Date: Mon, 12 Feb 2001 13:24:43 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

Your concerns will be addressed in a favourable manner.
Please join the list.  Your input is very welcome.

- Kulwinder.

> -----Original Message-----
> From: James Kempf [mailto:kempf@heliopolis.Eng.Sun.COM]
> Sent: Monday, February 12, 2001 1:18 PM
> To: zeroconf@merit.edu; seamoby@cdma-2000.org;
> MOBILE-IP@standards.nortelnetworks.com; srvloc@srvloc.org;
> aaa-wg@merit.edu; manet@itd.nrl.navy.mil; ipsec@lists.tislabs.com;
> ipsec-policy@vpnc.org; ietf-ipsra@vpnc.org; ietf-sacred@imc.org;
> enum@ietf.org; sigtran@standards.nortelnetworks.com; ietf@ietf.org;
> IETF-Announce@ietf.org; BLUETOOTH-BOF@mailbag.cps.intel.com;
> kulwinder.atwal@herc.zucotto.com
> Cc: narten@raleigh.ibm.com; Ron.Akers@motorola.com
> Subject: Re: [seamoby] BOF: IP over Bluetooth for 50th 
> Meeting of IETF. 
> 
> 
> Kulwinder,
> 
> There is an issue here with the closed, proprietary nature of 
> the Bluetooth
> SIG. Since information on what the SIG is doing is not available until
> it is complete, there is nothing to prevent the SIG from 
> doing something
> that would invalidate the work that IETF puts into desiging a better
> IP over Bluetooth.
> 
> Is there any possibility of gaining assurance from the SIG that they
> won't do something like this?
> 
> 		jak
> 
> 
> >
> >Myself and Ron Akers have requested an IP over Bluetooth BOF 
> for the 50th
> >Meeting of the IETF in Minneapolis.  The BOF will discuss 
> the creation of a
> >IETF Working Group to investigate the most open and 
> efficient way to place
> >IP over the Bluetooth Host Controller.
> >
> >Current work in this area within the Bluetooth SIG 
> concentrates on defining
> >IP over a set of other lower-layer stacks. Currently there 
> are two options
> >defined by the Bluetoth SIG:
> >
> > Option 1: IP/PPP/RFCOM/L2CAP/Host Controller
> >
> > Option 2: IP/PAN Profile/L2CAP/Host Controller
> > 	   (where the PAN Profile is a Bluetooth SIG work in progress)
> > 
> >
> >We are proposing that the IETF form a WG to define a more 
> efficient way of
> >running IP over Bluetooth. In particular, IP would run
> > over an IETF protocol over the Host Controller without 
> L2CAP.  This option
> >may be adopted by the Bluetooth SIG at a later date as a 
> Profile.  Since all
> >Bluetooth SIG Profiles are optional, a customer may choose 
> any combination
> >of Profiles in a final product.  Further, since Bluetooth 
> Working Groups
> >have it in their mandate to adopt protocols from other 
> standards making
> >bodies such as the IETF, there exists a clear path for IETF 
> work to be
> >adopted by the Bluetooth SIG.
> > 
> >Whereas the last BOF was informational only and organized by 
> the Bluetooth
> >SIG itself, the objective of this BOF will be to foster 
> innovation, and
> >speed progress by placing IP related protocol development 
> wihin the IETF and
> >Bluetooth-specific protocol development
> > within the Bluetooth SIG, by developing an IP over 
> Bluetooth IETF Working
> >Group.
> > 
> >This effort will define its own way of running IP over Bluetooth, by
> >carefully selecting a set of Bluetooth protocols (freely 
> available from
> >published specifications at
> >http://www.bluetooth.com/developer/specification/specificatio
> n.asp) on which
> >to build IP.
> >
> >Please join myself, Kulwinder Atwal, and Ron Akers on the 
> pre-BOF mailing
> >list:
> > 
> >This site runs version 2.0.1 of the "Mailman" list manager.  
> >The following describes commands you can send to get
> >information about, and control your subscription to the lists at
> >this site. Note that much of the following can also be 
> >accomplished via the World Wide Web, at:
> >
> >    http://internet.motlabs.com/mailman/listinfo/bluetooth
> >
> >In particular, you can use the Web site to have your password sent to
> >your delivery address.
> >
> >Email commands can be in the subject line or in the body 
> >of the message. The commands should be set to the following address:
> >
> >  <bluetooth-request@internet.motlabs.com>
> >
> >About the descriptions - words in "<>"s signify REQUIRED items and
> >words in "[]" denote OPTIONAL items.  Do not include the "<>"s or
> >"[]"s when you use the commands.
> >
> >The following commands are valid:
> >
> >    subscribe [password] [digest-option] [address=<address>]
> >        Subscribe to the mailing list.  Your password must 
> be given to
> >        unsubscribe or change your options.  When you 
> subscribe to the
> >        list, you'll be reminded of your password periodically.
> >        'digest-option' may be either: 'nodigest' or 'digest' (no
> >        quotes!)  If you wish to subscribe an address other than the
> >        address you send this request from, you may specify
> >        "address=<email address>" (no brackets around the email
> >        address, no quotes!)
> >
> >    unsubscribe <password> [address]
> >        Unsubscribe from the mailing list.  Your password must match
> >        the one you gave when you subscribed.  If you are trying to
> >        unsubscribe from a different address than the one you
> >        subscribed from, you may specify it in the 'address' field.
> >
> >    who
> >        See everyone who is on this mailing list.
> >
> >    info
> >        View the introductory information for this list.
> >
> >    lists
> >        See what mailing lists are run by this Mailman server.
> >
> >    help
> >        This message.
> >
> >    set <option> <on|off> <password> 
> >        Turn on or off list options.  Valid options are:
> >
> >        ack:
> >            Turn this on to receive acknowledgement mail 
> when you send
> >            mail to the list.
> >
> >        digest:
> >            Receive mail from the list bundled together 
> instead of one
> >            post at a time.
> >
> >        plain:
> >            Get plain-text, not MIME-compliant, digests (only if
> >            digest is set)
> >
> >        nomail:
> >            Stop delivering mail.  Useful if you plan on taking a
> >            short vacation.
> >
> >        norcv:
> >            Turn this on to NOT receive posts you send to the list.
> >            Does not work if digest is set.
> >
> >        hide:
> >            Conceals your address when people look at who is on this
> >            list.
> >
> >
> >    options
> >        Show the current values of your list options.
> >
> >    password <oldpassword> <newpassword> 
> >        Change your list password.
> >    
> >    end or --
> >       Stop processing commands (good to do if your mailer
> >       automatically adds a signature file - it'll save you 
> from a lot
> >       of cruft).
> >
> >
> >Commands should be sent to bluetooth-request@internet.motlabs.com
> >
> >Questions and concerns for the attention of a person should 
> be sent to
> >
> >    bluetooth-admin@internet.motlabs.com
> >
> >
> >
> >Kulwinder Atwal
> >Bluetooth Design
> >Zucotto Wireless Inc.
> >kulwinder.atwal@zucotto.com
> >
> >------------------------------------------------------------
> >Ron Akers                               Voice :(847)576-7928
> >Networks and Infrastructure Research      FAX :(847)576-3240
> >Motorola Laboratories           email:ron.akers@motorola.com 
> >1301 Algonquin Rd, Rm 2246
> >Schaumburg, IL. 60196
> >------------------------------------------------------------
> 


From owner-ietf-ipsra@mail.vpnc.org  Mon Feb 12 15:11:54 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA20407
	for <ipsra-archive@odin.ietf.org>; Mon, 12 Feb 2001 15:11:53 -0500 (EST)
Received: (from majordomo@localhost)
	by above.proper.com (8.9.3/8.9.3) id KAA12829
	for ietf-ipsra-bks; Mon, 12 Feb 2001 10:19:59 -0800 (PST)
Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA12819;
	Mon, 12 Feb 2001 10:19:56 -0800 (PST)
Received: from engmail2.Eng.Sun.COM ([129.146.1.25])
	by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA07466;
	Mon, 12 Feb 2001 10:17:57 -0800 (PST)
Received: from srmtv29a.Eng.Sun.COM (srmtv29a.Eng.Sun.COM [152.70.1.41])
	by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id KAA11825;
	Mon, 12 Feb 2001 10:17:56 -0800 (PST)
Received: from srmtv29a (srmtv29a [152.70.1.41])
	by srmtv29a.Eng.Sun.COM (8.10.2+Sun/8.10.2) with SMTP id f1CIHtB19978;
	Mon, 12 Feb 2001 10:17:55 -0800 (PST)
Message-Id: <200102121817.f1CIHtB19978@srmtv29a.Eng.Sun.COM>
Date: Mon, 12 Feb 2001 10:17:55 -0800 (PST)
From: James Kempf <kempf@heliopolis.Eng.Sun.COM>
Reply-To: James Kempf <kempf@heliopolis.Eng.Sun.COM>
Subject: Re: [seamoby] BOF:   IP over Bluetooth for 50th Meeting of IETF. 
To: zeroconf@merit.edu, seamoby@cdma-2000.org,
        MOBILE-IP@STANDARDS.NORTELNETWORKS.COM, srvloc@srvloc.org,
        aaa-wg@merit.edu, manet@itd.nrl.navy.mil, ipsec@lists.tislabs.com,
        ipsec-policy@vpnc.org, ietf-ipsra@vpnc.org, ietf-sacred@imc.org,
        enum@ietf.org, sigtran@STANDARDS.NORTELNETWORKS.COM, ietf@ietf.org,
        IETF-Announce@ietf.org, BLUETOOTH-BOF@mailbag.cps.intel.com,
        kulwinder.atwal@zucotto.com
Cc: narten@raleigh.ibm.com, Ron.Akers@motorola.com
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: IQNb6xGFCtgsJJ6tIPx3Gg==
X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4.2 SunOS 5.8 sun4u sparc 
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

Kulwinder,

There is an issue here with the closed, proprietary nature of the Bluetooth
SIG. Since information on what the SIG is doing is not available until
it is complete, there is nothing to prevent the SIG from doing something
that would invalidate the work that IETF puts into desiging a better
IP over Bluetooth.

Is there any possibility of gaining assurance from the SIG that they
won't do something like this?

		jak


>
>Myself and Ron Akers have requested an IP over Bluetooth BOF for the 50th
>Meeting of the IETF in Minneapolis.  The BOF will discuss the creation of a
>IETF Working Group to investigate the most open and efficient way to place
>IP over the Bluetooth Host Controller.
>
>Current work in this area within the Bluetooth SIG concentrates on defining
>IP over a set of other lower-layer stacks. Currently there are two options
>defined by the Bluetoth SIG:
>
> Option 1: IP/PPP/RFCOM/L2CAP/Host Controller
>
> Option 2: IP/PAN Profile/L2CAP/Host Controller
> 	   (where the PAN Profile is a Bluetooth SIG work in progress)
> 
>
>We are proposing that the IETF form a WG to define a more efficient way of
>running IP over Bluetooth. In particular, IP would run
> over an IETF protocol over the Host Controller without L2CAP.  This option
>may be adopted by the Bluetooth SIG at a later date as a Profile.  Since all
>Bluetooth SIG Profiles are optional, a customer may choose any combination
>of Profiles in a final product.  Further, since Bluetooth Working Groups
>have it in their mandate to adopt protocols from other standards making
>bodies such as the IETF, there exists a clear path for IETF work to be
>adopted by the Bluetooth SIG.
> 
>Whereas the last BOF was informational only and organized by the Bluetooth
>SIG itself, the objective of this BOF will be to foster innovation, and
>speed progress by placing IP related protocol development wihin the IETF and
>Bluetooth-specific protocol development
> within the Bluetooth SIG, by developing an IP over Bluetooth IETF Working
>Group.
> 
>This effort will define its own way of running IP over Bluetooth, by
>carefully selecting a set of Bluetooth protocols (freely available from
>published specifications at
>http://www.bluetooth.com/developer/specification/specification.asp) on which
>to build IP.
>
>Please join myself, Kulwinder Atwal, and Ron Akers on the pre-BOF mailing
>list:
> 
>This site runs version 2.0.1 of the "Mailman" list manager.  
>The following describes commands you can send to get
>information about, and control your subscription to the lists at
>this site. Note that much of the following can also be 
>accomplished via the World Wide Web, at:
>
>    http://internet.motlabs.com/mailman/listinfo/bluetooth
>
>In particular, you can use the Web site to have your password sent to
>your delivery address.
>
>Email commands can be in the subject line or in the body 
>of the message. The commands should be set to the following address:
>
>  <bluetooth-request@internet.motlabs.com>
>
>About the descriptions - words in "<>"s signify REQUIRED items and
>words in "[]" denote OPTIONAL items.  Do not include the "<>"s or
>"[]"s when you use the commands.
>
>The following commands are valid:
>
>    subscribe [password] [digest-option] [address=<address>]
>        Subscribe to the mailing list.  Your password must be given to
>        unsubscribe or change your options.  When you subscribe to the
>        list, you'll be reminded of your password periodically.
>        'digest-option' may be either: 'nodigest' or 'digest' (no
>        quotes!)  If you wish to subscribe an address other than the
>        address you send this request from, you may specify
>        "address=<email address>" (no brackets around the email
>        address, no quotes!)
>
>    unsubscribe <password> [address]
>        Unsubscribe from the mailing list.  Your password must match
>        the one you gave when you subscribed.  If you are trying to
>        unsubscribe from a different address than the one you
>        subscribed from, you may specify it in the 'address' field.
>
>    who
>        See everyone who is on this mailing list.
>
>    info
>        View the introductory information for this list.
>
>    lists
>        See what mailing lists are run by this Mailman server.
>
>    help
>        This message.
>
>    set <option> <on|off> <password> 
>        Turn on or off list options.  Valid options are:
>
>        ack:
>            Turn this on to receive acknowledgement mail when you send
>            mail to the list.
>
>        digest:
>            Receive mail from the list bundled together instead of one
>            post at a time.
>
>        plain:
>            Get plain-text, not MIME-compliant, digests (only if
>            digest is set)
>
>        nomail:
>            Stop delivering mail.  Useful if you plan on taking a
>            short vacation.
>
>        norcv:
>            Turn this on to NOT receive posts you send to the list.
>            Does not work if digest is set.
>
>        hide:
>            Conceals your address when people look at who is on this
>            list.
>
>
>    options
>        Show the current values of your list options.
>
>    password <oldpassword> <newpassword> 
>        Change your list password.
>    
>    end or --
>       Stop processing commands (good to do if your mailer
>       automatically adds a signature file - it'll save you from a lot
>       of cruft).
>
>
>Commands should be sent to bluetooth-request@internet.motlabs.com
>
>Questions and concerns for the attention of a person should be sent to
>
>    bluetooth-admin@internet.motlabs.com
>
>
>
>Kulwinder Atwal
>Bluetooth Design
>Zucotto Wireless Inc.
>kulwinder.atwal@zucotto.com
>
>------------------------------------------------------------
>Ron Akers                               Voice :(847)576-7928
>Networks and Infrastructure Research      FAX :(847)576-3240
>Motorola Laboratories           email:ron.akers@motorola.com 
>1301 Algonquin Rd, Rm 2246
>Schaumburg, IL. 60196
>------------------------------------------------------------



From owner-ietf-ipsra@mail.vpnc.org  Mon Feb 12 15:28:05 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA20679
	for <ipsra-archive@odin.ietf.org>; Mon, 12 Feb 2001 15:28:04 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id LAA17267
	for ietf-ipsra-bks; Mon, 12 Feb 2001 11:41:46 -0800 (PST)
Received: from htt-consult.com ([63.82.18.210])
	by above.proper.com (8.9.3/8.9.3) with SMTP id LAA17260;
	Mon, 12 Feb 2001 11:41:44 -0800 (PST)
Received: from rgm.htt-consult.com ([63.82.18.214]) by htt-consult.com ; Mon, 12 Feb 2001 14:42:05 -0500
Message-Id: <5.0.0.25.2.20010212143652.02a05030@localhost>
X-Sender: rgm-sec@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.0
Date: Mon, 12 Feb 2001 14:40:53 -0500
To: Ari Huttunen <Ari.Huttunen@f-secure.com>, Sara Bitan <sarab@radguard.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: Starting the decision on PIC vs. GetCert
Cc: IPSRA list <ietf-ipsra@vpnc.org>, Paul Hoffman <phoffman@vpnc.org>
In-Reply-To: <3A868085.95BC3980@F-Secure.com>
References: <3A7D16A5.C9F094D9@radguard.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

At 02:07 PM 2/11/2001 +0200, Ari Huttunen wrote:
>I like the ability mentioned in PIC to locate the Authentication Server
>and the GW in different locations, in an attempt to provide resistance
>to DoS attacks against the GW. This capability should also be possible
>in Getcert.

It is an I don't see any reason to call it out.  But if you people want 
pictures, I will make 'em.

I fact there is probably the need to call out that the AS, GW, and RADIUS 
are just one box for the 'small office' senario  :)

>I would also like to see it possible for the AS to provide the client
>a "policy blob".

two ways to handle that.  as part of the EAP exchange or as part of the CMP ip.

when do you think it should occur (as part of authentication of client to 
AS or as part of receving cert).


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com



From owner-ietf-ipsra@mail.vpnc.org  Tue Feb 13 02:35:52 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id CAA13970
	for <ipsra-archive@odin.ietf.org>; Tue, 13 Feb 2001 02:35:52 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id XAA12564
	for ietf-ipsra-bks; Mon, 12 Feb 2001 23:05:35 -0800 (PST)
Received: from gate.internaut.com ([64.38.134.108])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA12547;
	Mon, 12 Feb 2001 23:05:33 -0800 (PST)
Received: from e1kj2 (e1kj2 [64.38.134.109])
	by gate.internaut.com (8.10.2/8.10.2) with SMTP id f1D6xTJ25766;
	Mon, 12 Feb 2001 22:59:29 -0800
From: "Bernard Aboba" <aboba@internaut.com>
To: "Robert Moskowitz" <rgm-sec@htt-consult.com>,
        "Ari Huttunen" <Ari.Huttunen@f-secure.com>,
        "Sara Bitan" <sarab@radguard.com>
Cc: "IPSRA list" <ietf-ipsra@vpnc.org>, "Paul Hoffman" <phoffman@vpnc.org>
Subject: RE: Starting the decision on PIC vs. GetCert
Date: Mon, 12 Feb 2001 23:06:15 -0800
Message-ID: <OJEJKOMOEAKLMOILFCPJOEBCEBAA.aboba@internaut.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
In-Reply-To: <5.0.0.25.2.20010212143652.02a05030@localhost>
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

>when do you think it should occur (as part of authentication of client to
>AS or as part of receving cert).

My opinion: as part of receiving the cert. EAP authentication methods such
as SecurID are already specified and thus cannot be changed so as to push
policies. So this needs to be done outside of the EAP authentication
process.




From owner-ietf-ipsra@mail.vpnc.org  Tue Feb 13 08:37:55 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA17726
	for <ipsra-archive@odin.ietf.org>; Tue, 13 Feb 2001 08:37:55 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id EAA29363
	for ietf-ipsra-bks; Tue, 13 Feb 2001 04:57:13 -0800 (PST)
Received: from fw.hel.fi.ssh.com (fw.hel.fi.ssh.com [193.64.193.124])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA29359
	for <ietf-ipsra@vpnc.org>; Tue, 13 Feb 2001 04:57:11 -0800 (PST)
Received: from viikuna.hel.fi.ssh.com (viikuna.hel.fi.ssh.com [10.1.0.46])
	by fw.hel.fi.ssh.com (SSH-1.22) with SMTP id OAA28546
	for <ietf-ipsra@vpnc.org>; Tue, 13 Feb 2001 14:57:10 +0200 (EET)
Received: (qmail 13768 invoked from network); 13 Feb 2001 12:57:10 -0000
Received: from lavuaari.hel.fi.ssh.com (HELO taulu.hel.fi.ssh.com) ([10.1.0.48]) (envelope-sender <kivinen@ssh.fi>)
          by viikuna.hel.fi.ssh.com (qmail-ldap-1.03) with SMTP
          for <Ari.Huttunen@f-secure.com>; 13 Feb 2001 12:57:10 -0000
Received: (from kivinen@localhost)
	by taulu.hel.fi.ssh.com (8.9.3/8.9.3/SSH-1.13) id OAA07228;
	Tue, 13 Feb 2001 14:57:10 +0200 (EET)
X-Authentication-Warning: taulu.hel.fi.ssh.com: kivinen set sender to <kivinen@ssh.fi> using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14985.12069.525851.31372@taulu.hel.fi.ssh.com>
Date: Tue, 13 Feb 2001 14:57:09 +0200
From: Tero Kivinen <kivinen@ssh.fi>
To: "Scott G. Kelly" <skelly@redcreek.com>
Cc: Ari Huttunen <Ari.Huttunen@f-secure.com>, IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert
In-Reply-To: <3A881519.AE1A2864@redcreek.com>
References: <3A7D16A5.C9F094D9@radguard.com>
	<3A806B9D.51EF91D6@redcreek.com>
	<3A868317.C0E8291F@F-Secure.com>
	<3A881519.AE1A2864@redcreek.com>
X-Mailer: VM 6.88 under Emacs 20.7.2
Organization: SSH Communications Security Oy
X-Edit-Time: 11 min
X-Total-Time: 5 min
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Scott G. Kelly writes:
> The fact that pic uses an ike variant doesn't mean it is tightly bound
> to the ike implementation, necessarily. For example, a pic
> implementation need not run on the headend, meaning that ike
> implementation would not change at all. Where it *would* require
> widespread change would be in the remote access clients, but these
> systems have to be modified either way.

I think that in almost all implementations of the PIC are going to be
very tightly bound to the IKE implementation itself (i.e sharing code,
runnig same state machine etc). Of course there will be lots of IKE
implementations which do not include PIC at all, and those will still
be same...

Adding PIC there WILL add complexity of the IKE. I think we have to
just realize that. The added complexity is propably not going to be
too much.

Getcert can be implemented as a part of IKE or as a separate system. I
think quite a lot of the implementations are going to use the second
alternative, i.e build separate piece of code to run the getcert
protocol, thus keeping the complexity out of the core IKE/IPsec
system.
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/


From owner-ietf-ipsra@mail.vpnc.org  Tue Feb 13 16:02:51 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA00272
	for <ipsra-archive@odin.ietf.org>; Tue, 13 Feb 2001 16:02:51 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id MAA29733
	for ietf-ipsra-bks; Tue, 13 Feb 2001 12:17:52 -0800 (PST)
Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA29729
	for <ietf-ipsra@vpnc.org>; Tue, 13 Feb 2001 12:17:50 -0800 (PST)
Received: from eastmail2.East.Sun.COM ([129.148.1.241])
	by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id MAA16657;
	Tue, 13 Feb 2001 12:17:44 -0800 (PST)
Received: from thunk.east.sun.com (thunk.East.Sun.COM [129.148.174.66])
	by eastmail2.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id PAA25552;
	Tue, 13 Feb 2001 15:17:43 -0500 (EST)
Received: from thunk (localhost [127.0.0.1])
	by thunk.east.sun.com (8.11.2+Sun/8.10.2) with ESMTP id f1DKHg917046;
	Tue, 13 Feb 2001 15:17:42 -0500 (EST)
Message-Id: <200102132017.f1DKHg917046@thunk.east.sun.com>
From: Bill Sommerfeld <sommerfeld@east.sun.com>
To: Tero Kivinen <kivinen@ssh.fi>
cc: IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert 
In-reply-to: Your message of "Tue, 13 Feb 2001 14:57:09 +0200."
             <14985.12069.525851.31372@taulu.hel.fi.ssh.com> 
Reply-to: sommerfeld@east.sun.com
Date: Tue, 13 Feb 2001 15:17:41 -0500
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

getcert looks like the right approach from a modularity standpoint.

It also *potentially* fits in better than PIC with the way my employer
currently does remote access.  (I'd guess that this applies to other
organizations as well).

					- Bill


From owner-ietf-ipsra@mail.vpnc.org  Wed Feb 14 04:13:30 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id EAA25241
	for <ipsra-archive@odin.ietf.org>; Wed, 14 Feb 2001 04:13:29 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id AAA15259
	for ietf-ipsra-bks; Wed, 14 Feb 2001 00:31:38 -0800 (PST)
Received: from hippolyte.radguard.com ([192.117.11.9])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id AAA15236;
	Wed, 14 Feb 2001 00:31:34 -0800 (PST)
Received: from hellman.radguard.com (unverified) by hippolyte.radguard.com
 (Content Technologies SMTPRS 4.2.1) with SMTP id <T51b8ed0e09c0750b09099@hippolyte.radguard.com>;
 Wed, 14 Feb 2001 10:34:54 +0200
Received: from yaron by hellman.radguard.com (8.8.8+Sun/SMI-SVR4)
	id KAA17887; Wed, 14 Feb 2001 10:30:16 +0200 (IST)
From: "Yaron Sheffer" <yaron.sheffer@radguard.com>
To: "Bernard Aboba" <aboba@internaut.com>,
        "Robert Moskowitz" <rgm-sec@htt-consult.com>,
        "Ari Huttunen" <Ari.Huttunen@f-secure.com>,
        "Sara Bitan" <sarab@radguard.com>
Cc: "IPSRA list" <ietf-ipsra@vpnc.org>, "Paul Hoffman" <phoffman@vpnc.org>
Subject: RE: Starting the decision on PIC vs. GetCert
Date: Wed, 14 Feb 2001 10:31:04 +0200
Message-ID: <NEBBLPNPLGOBIJCOOIDPMEINCGAA.yaron.sheffer@radguard.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
In-Reply-To: <OJEJKOMOEAKLMOILFCPJOEBCEBAA.aboba@internaut.com>
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

A third alternative is to push policy separately (neither from the legacy AS
nor from the CA). The policy "blob" would be wrapped as another MIME in
getcert, or another ISAKMP payload in PIC.

	Yaron

-----Original Message-----
From: owner-ietf-ipsra@mail.vpnc.org
[mailto:owner-ietf-ipsra@mail.vpnc.org]On Behalf Of Bernard Aboba
Sent: Tuesday, February 13, 2001 9:06 AM
To: Robert Moskowitz; Ari Huttunen; Sara Bitan
Cc: IPSRA list; Paul Hoffman
Subject: RE: Starting the decision on PIC vs. GetCert


>when do you think it should occur (as part of authentication of client to
>AS or as part of receving cert).

My opinion: as part of receiving the cert. EAP authentication methods such
as SecurID are already specified and thus cannot be changed so as to push
policies. So this needs to be done outside of the EAP authentication
process.




From owner-ietf-ipsra@mail.vpnc.org  Wed Feb 14 13:15:12 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA10031
	for <ipsra-archive@odin.ietf.org>; Wed, 14 Feb 2001 13:15:11 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id JAA03854
	for ietf-ipsra-bks; Wed, 14 Feb 2001 09:34:43 -0800 (PST)
Received: from ee.technion.ac.il ([132.68.48.5])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA03848
	for <ietf-ipsra@vpnc.org>; Wed, 14 Feb 2001 09:34:41 -0800 (PST)
Received: from localhost (hugo@localhost)
	by ee.technion.ac.il (8.9.3+Sun/8.9.3) with ESMTP id TAA07095;
	Wed, 14 Feb 2001 19:32:25 +0200 (IST)
Date: Wed, 14 Feb 2001 19:32:24 +0200 (IST)
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: Bill Sommerfeld <sommerfeld@east.sun.com>
cc: IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert 
In-Reply-To: <200102132017.f1DKHg917046@thunk.east.sun.com>
Message-ID: <Pine.GSO.4.21.0102141923490.6220-100000@ee.technion.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

I do not see why an SSL-based solution is more modular.
What SSL gives you is (assuming you have SSL running in your 
authentication server) a somewhat faster-to-deploy solution.

I'd say that if one thinks of the problem at hand as something 
that will go away in a year or two at most then a fast SSL-based
solution is best.

If one thinks this functionality (certiifcate retrieval using passwords
and legacy systems) is here to stay for long then PIC is a better
solution from the point of view of security architecture.
It stays in the realm of IKE (to which it serves by definition); and
you can control its implementation, management and level of security
(rather than SSL that will be used "as is" and its "is" is not that good
these days).

From an architectural point of view what getcert does in comparison
to PIC is to replace the first two message of PIC with a whole SSL
hanshake.

Also, an IKE-like solution could in the future (when IKE gets stabilized
and deployed) be added, if so desired, as a direct-authentication IKE
mode.

Hugo

On Tue, 13 Feb 2001, Bill Sommerfeld wrote:

> getcert looks like the right approach from a modularity standpoint.
> 
> It also *potentially* fits in better than PIC with the way my employer
> currently does remote access.  (I'd guess that this applies to other
> organizations as well).
> 
> 					- Bill
> 



From owner-ietf-ipsra@mail.vpnc.org  Wed Feb 14 13:46:07 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11856
	for <ipsra-archive@odin.ietf.org>; Wed, 14 Feb 2001 13:46:06 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id KAA05279
	for ietf-ipsra-bks; Wed, 14 Feb 2001 10:07:29 -0800 (PST)
Received: from tholian.securitydynamics.com (tholian.securid.com [204.167.112.129])
	by above.proper.com (8.9.3/8.9.3) with SMTP id KAA05272
	for <ietf-ipsra@vpnc.org>; Wed, 14 Feb 2001 10:07:28 -0800 (PST)
Received: from [192.168.7.5] by tholian.securitydynamics.com
          via smtpd (for mail.vpnc.org [208.184.76.50]) with SMTP; 14 Feb 2001 18:05:58 UT
Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4])
	by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA15110;
	Wed, 14 Feb 2001 13:03:36 -0500 (EST)
Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21)
	id <1PPSPY51>; Wed, 14 Feb 2001 13:03:36 -0500
Message-ID: <F504A8CEE925D411AF4A00508B8BE90AC22CC5@exna07.securitydynamics.com>
From: "Kavsan, Bronislav" <bkavsan@rsasecurity.com>
To: "'Hugo Krawczyk'" <hugo@ee.technion.ac.il>,
        Bill Sommerfeld
	 <sommerfeld@east.sun.com>
Cc: IPSRA list <ietf-ipsra@vpnc.org>
Subject: RE: Starting the decision on PIC vs. GetCert 
Date: Wed, 14 Feb 2001 13:03:23 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

I wouldn't limit the scope of either of those proposals to pre-IKE only
(name PIC is somewhat unfortunate), but rather look at it as more general
mechanism for secure distribution of mobile credentials to users, where IKE
is only one possible use.

-----Original Message-----
From: Hugo Krawczyk [mailto:hugo@ee.technion.ac.il]
Sent: Wednesday, February 14, 2001 12:32 PM
To: Bill Sommerfeld
Cc: IPSRA list
Subject: Re: Starting the decision on PIC vs. GetCert 


I do not see why an SSL-based solution is more modular.
What SSL gives you is (assuming you have SSL running in your 
authentication server) a somewhat faster-to-deploy solution.

I'd say that if one thinks of the problem at hand as something 
that will go away in a year or two at most then a fast SSL-based
solution is best.

If one thinks this functionality (certiifcate retrieval using passwords
and legacy systems) is here to stay for long then PIC is a better
solution from the point of view of security architecture.
It stays in the realm of IKE (to which it serves by definition); and
you can control its implementation, management and level of security
(rather than SSL that will be used "as is" and its "is" is not that good
these days).

From an architectural point of view what getcert does in comparison
to PIC is to replace the first two message of PIC with a whole SSL
hanshake.

Also, an IKE-like solution could in the future (when IKE gets stabilized
and deployed) be added, if so desired, as a direct-authentication IKE
mode.

Hugo

On Tue, 13 Feb 2001, Bill Sommerfeld wrote:

> getcert looks like the right approach from a modularity standpoint.
> 
> It also *potentially* fits in better than PIC with the way my employer
> currently does remote access.  (I'd guess that this applies to other
> organizations as well).
> 
> 					- Bill
> 


From owner-ietf-ipsra@mail.vpnc.org  Wed Feb 14 14:00:01 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA12815
	for <ipsra-archive@odin.ietf.org>; Wed, 14 Feb 2001 14:00:00 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id KAA05925
	for ietf-ipsra-bks; Wed, 14 Feb 2001 10:21:02 -0800 (PST)
Received: from rc_westlake.interdyn.com ([205.147.53.144])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA05921
	for <ietf-ipsra@vpnc.org>; Wed, 14 Feb 2001 10:21:01 -0800 (PST)
Received: by RC_WESTLAKE with Internet Mail Service (5.5.2653.19)
	id <1F7PC7BA>; Wed, 14 Feb 2001 10:20:33 -0800
Received: from redcreek.com (host43.redcreek.com [209.218.26.43]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id 15AA8KV9; Wed, 14 Feb 2001 10:20:23 -0800
Message-ID: <3A8ACC5F.C74D217E@redcreek.com>
Date: Wed, 14 Feb 2001 10:20:15 -0800
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: "Kavsan, Bronislav" <bkavsan@rsasecurity.com>
CC: "'Hugo Krawczyk'" <hugo@ee.technion.ac.il>,
        Bill Sommerfeld <sommerfeld@east.sun.com>,
        IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert
References: <F504A8CEE925D411AF4A00508B8BE90AC22CC5@exna07.securitydynamics.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Hi Slava,

"Kavsan, Bronislav" wrote:
> 
> I wouldn't limit the scope of either of those proposals to pre-IKE only
> (name PIC is somewhat unfortunate), but rather look at it as more general
> mechanism for secure distribution of mobile credentials to users, where IKE
> is only one possible use.

I think "mobile credentials" are out of scope, and fall within the
purvey of the sacred wg. I think what we are trying to do here is
provide a mechanism for the use of legacy authentication for ipsec
remote access in a more secure manner than those previously proposed
would.

Scott


From owner-ietf-ipsra@mail.vpnc.org  Wed Feb 14 17:24:54 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA18019
	for <ipsra-archive@odin.ietf.org>; Wed, 14 Feb 2001 17:24:52 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id NAA17714
	for ietf-ipsra-bks; Wed, 14 Feb 2001 13:41:03 -0800 (PST)
Received: from ns01.newbridge.com (ns01.newbridge.com [192.75.23.67])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA17709
	for <ietf-ipsra@vpnc.org>; Wed, 14 Feb 2001 13:40:58 -0800 (PST)
Received: (from smtpd@localhost)
	by ns01.newbridge.com (8.9.2/8.9.2) id QAA11545
	for <ietf-ipsra@vpnc.org>; Wed, 14 Feb 2001 16:31:49 -0500 (EST)
Received: from portal1.newbridge.com(192.75.23.76), claiming to be "kanata-mh1.ca.newbridge.com"
 via SMTP by ns01.newbridge.com, id smtpdBAAAwjhq_; Wed Feb 14 16:31:41 2001
Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-ipsra@vpnc.org; Wed, 14 Feb 2001 16:39:09 -0500
Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com
          (Netscape Messaging Server 3.6)  with ESMTP id AAA22DB
          for <ietf-ipsra@vpnc.org>; Wed, 14 Feb 2001 16:39:08 -0500
Reply-To: <andrew.krywaniuk@alcatel.com>
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
To: <'=SMTP:ietf-ipsra@vpnc.org'>
Subject: RE: Starting the decision on PIC vs. GetCert
Date: Wed, 14 Feb 2001 16:37:16 -0500
Message-Id: <008e01c096ce$4e0b0bb0$1e72788a@andrewk3.ca.alcatel.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
In-Reply-To: <3A8ACC5F.C74D217E@redcreek.com>
Importance: Normal
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

<flamebait>

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line 
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.


> -----Original Message-----
> From: owner-ietf-ipsra@mail.vpnc.org
> [mailto:owner-ietf-ipsra@mail.vpnc.org]On Behalf Of Scott G. Kelly
> Sent: Wednesday, February 14, 2001 1:20 PM
> To: Kavsan, Bronislav
> Cc: 'Hugo Krawczyk'; Bill Sommerfeld; IPSRA list
> Subject: Re: Starting the decision on PIC vs. GetCert
> 
> 
> Hi Slava,
> 
> "Kavsan, Bronislav" wrote:
> > 
> > I wouldn't limit the scope of either of those proposals to 
> pre-IKE only
> > (name PIC is somewhat unfortunate), but rather look at it 
> as more general
> > mechanism for secure distribution of mobile credentials to 
> users, where IKE
> > is only one possible use.
> 
> I think "mobile credentials" are out of scope, and fall within the
> purvey of the sacred wg. I think what we are trying to do here is
> provide a mechanism for the use of legacy authentication for ipsec
> remote access in a more secure manner than those previously proposed
> would.
> 
> Scott
> 


From owner-ietf-ipsra@mail.vpnc.org  Thu Feb 15 11:12:49 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA21927
	for <ipsra-archive@odin.ietf.org>; Thu, 15 Feb 2001 11:12:48 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id HAA05210
	for ietf-ipsra-bks; Thu, 15 Feb 2001 07:28:11 -0800 (PST)
Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39])
	by above.proper.com (8.9.3/8.9.3) with SMTP id HAA05206
	for <ietf-ipsra@vpnc.org>; Thu, 15 Feb 2001 07:28:09 -0800 (PST)
Received: (qmail 940 invoked by uid 0); 15 Feb 2001 15:28:07 -0000
Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47)
  by dfmail.f-secure.com with SMTP; 15 Feb 2001 15:28:07 -0000
Received: from dfintra.f-secure.com ([194.197.29.8]:2174) (HELO dfintra.f-secure.com)
 by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release)
 with SMTP; Thu, 15 Feb 2001 15:30:38 -0000
Received: (qmail 19745 invoked from network); 15 Feb 2001 15:28:06 -0000
Received: from unknown (HELO F-Secure.com) (10.128.129.76)
  by dfintra.f-secure.com with SMTP; 15 Feb 2001 15:28:06 -0000
Message-ID: <3A8BF579.B6C0FD1@F-Secure.com>
Date: Thu, 15 Feb 2001 17:27:53 +0200
From: Ari Huttunen <Ari.Huttunen@f-secure.com>
Organization: F-Secure Corporation
X-Mailer: Mozilla 4.76 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Scott G. Kelly" <skelly@redcreek.com>
CC: "Kavsan, Bronislav" <bkavsan@rsasecurity.com>,
        "'Hugo Krawczyk'" <hugo@ee.technion.ac.il>,
        Bill Sommerfeld <sommerfeld@east.sun.com>,
        IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: Starting the decision on PIC vs. GetCert
References: <F504A8CEE925D411AF4A00508B8BE90AC22CC5@exna07.securitydynamics.com> <3A8ACC5F.C74D217E@redcreek.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit



"Scott G. Kelly" wrote:
> 
> Hi Slava,
> 
> "Kavsan, Bronislav" wrote:
> >
> > I wouldn't limit the scope of either of those proposals to pre-IKE only
> > (name PIC is somewhat unfortunate), but rather look at it as more general
> > mechanism for secure distribution of mobile credentials to users, where IKE
> > is only one possible use.
> 
> I think "mobile credentials" are out of scope, and fall within the
> purvey of the sacred wg. I think what we are trying to do here is
> provide a mechanism for the use of legacy authentication for ipsec
> remote access in a more secure manner than those previously proposed
> would.
> 
> Scott

I visited the sacred BOF, and I seem to remember that their methods depend on
there existing long term credentials for the client, which the client
could somehow verify after obtaining from the server. This in turn created
better two-way authentication properties than could be employed by IPSRA that
needs to create the client credentials on-the-fly. (Like, they don't depend 
on the user verifying the server certificate as with SSL.)

Someone who knows sacred better could shed more light on this. But in any case
there does seem to be enough reasons for both methods to exist. And no, the IPSRA
method doesn't have to be IKE-only, although it likely will be.

Ari

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security


From owner-ietf-ipsra@mail.vpnc.org  Thu Feb 15 19:34:34 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id TAA02960
	for <ipsra-archive@odin.ietf.org>; Thu, 15 Feb 2001 19:34:34 -0500 (EST)
Received: (from majordomo@localhost)
	by above.proper.com (8.9.3/8.9.3) id PAA03260
	for ietf-ipsra-bks; Thu, 15 Feb 2001 15:52:01 -0800 (PST)
Received: from ns01.newbridge.com (ns01.newbridge.com [192.75.23.67])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA03247
	for <ietf-ipsra@vpnc.org>; Thu, 15 Feb 2001 15:51:58 -0800 (PST)
Received: (from smtpd@localhost)
	by ns01.newbridge.com (8.9.2/8.9.2) id SAA29433
	for <ietf-ipsra@vpnc.org>; Thu, 15 Feb 2001 18:42:53 -0500 (EST)
Received: from portal1.newbridge.com(192.75.23.76), claiming to be "kanata-mh1.ca.newbridge.com"
 via SMTP by ns01.newbridge.com, id smtpdAAA0dApaW; Thu Feb 15 18:42:45 2001
Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-ipsra@vpnc.org; Thu, 15 Feb 2001 18:50:24 -0500
Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com
          (Netscape Messaging Server 3.6)  with ESMTP id AAA1027
          for <ietf-ipsra@vpnc.org>; Thu, 15 Feb 2001 18:50:23 -0500
Reply-To: <andrew.krywaniuk@alcatel.com>
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
To: "'IPSRA list'" <ietf-ipsra@vpnc.org>
Subject: RE: Starting the decision on PIC vs. GetCert 
Date: Thu, 15 Feb 2001 18:48:31 -0500
Message-Id: <00d901c097a9$ce1d0750$1e72788a@andrewk3.ca.alcatel.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
In-Reply-To: <Pine.GSO.4.21.0102141923490.6220-100000@ee.technion.ac.il>
Importance: Normal
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

I think the problem (and advantage) of SSL is that you can leverage off of
an existing global PKI.

However, I also feel that IKE will be used in scenarios where administrators
want to have complete administrative control over their PKIs, which negates
this supposed advantage.

I also believe that the decision to use SSL rather than staying within the
realm of ISAKMP was motivated by a belief that SSL is inherently more secure
than IKE. This is something I don't believe to be true.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.


> -----Original Message-----
> From: owner-ietf-ipsra@mail.vpnc.org
> [mailto:owner-ietf-ipsra@mail.vpnc.org]On Behalf Of Hugo Krawczyk
> Sent: Wednesday, February 14, 2001 12:32 PM
> To: Bill Sommerfeld
> Cc: IPSRA list
> Subject: Re: Starting the decision on PIC vs. GetCert
>
>
> I do not see why an SSL-based solution is more modular.
> What SSL gives you is (assuming you have SSL running in your
> authentication server) a somewhat faster-to-deploy solution.
>
> I'd say that if one thinks of the problem at hand as something
> that will go away in a year or two at most then a fast SSL-based
> solution is best.
>
> If one thinks this functionality (certiifcate retrieval using
> passwords
> and legacy systems) is here to stay for long then PIC is a better
> solution from the point of view of security architecture.
> It stays in the realm of IKE (to which it serves by definition); and
> you can control its implementation, management and level of security
> (rather than SSL that will be used "as is" and its "is" is
> not that good
> these days).
>
> From an architectural point of view what getcert does in comparison
> to PIC is to replace the first two message of PIC with a whole SSL
> hanshake.
>
> Also, an IKE-like solution could in the future (when IKE gets
> stabilized
> and deployed) be added, if so desired, as a direct-authentication IKE
> mode.
>
> Hugo
>
> On Tue, 13 Feb 2001, Bill Sommerfeld wrote:
>
> > getcert looks like the right approach from a modularity standpoint.
> >
> > It also *potentially* fits in better than PIC with the way
> my employer
> > currently does remote access.  (I'd guess that this applies to other
> > organizations as well).
> >
> > 					- Bill
> >
>
>



From owner-ietf-ipsra@mail.vpnc.org  Fri Feb 16 16:58:39 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA10402
	for <ipsra-archive@odin.ietf.org>; Fri, 16 Feb 2001 16:58:37 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id MAA22754
	for ietf-ipsra-bks; Fri, 16 Feb 2001 12:37:03 -0800 (PST)
Received: from htt-consult.com ([63.82.18.210])
	by above.proper.com (8.9.3/8.9.3) with SMTP id MAA22749
	for <ietf-ipsra@vpnc.org>; Fri, 16 Feb 2001 12:37:02 -0800 (PST)
Received: from rgm.htt-consult.com ([63.82.18.214]) by htt-consult.com ; Fri, 16 Feb 2001 15:37:47 -0500
Message-Id: <5.0.0.25.2.20010216143121.02aa7390@localhost>
X-Sender: rgm-sec@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.0
Date: Fri, 16 Feb 2001 15:30:09 -0500
To: <andrew.krywaniuk@alcatel.com>, "'IPSRA list'" <ietf-ipsra@vpnc.org>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: RE: Starting the decision on PIC vs. GetCert 
In-Reply-To: <00d901c097a9$ce1d0750$1e72788a@andrewk3.ca.alcatel.com>
References: <Pine.GSO.4.21.0102141923490.6220-100000@ee.technion.ac.il>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

At 06:48 PM 2/15/2001 -0500, Andrew Krywaniuk wrote:
>I think the problem (and advantage) of SSL is that you can leverage off of
>an existing global PKI.
>
>However, I also feel that IKE will be used in scenarios where administrators
>want to have complete administrative control over their PKIs, which negates
>this supposed advantage.

noppers.  at least not in my working on GETCERT.

for argument purposes, you work at a BIG company (like I did for 19 
years).  You buy an Entrust license for the server and you get their RA 
toolkit.

you put the toolkit on a box that also has IIS (remember this is for 
example purposes ONLY :).

you roll your own root cert for your CA and an SSL cert for your IIS.  On 
all of your remote clients you install this root cert (I could get more 
complicated in my example with a whole corporate PKI but why bother for 
this example).

you write a CGI piece that grabs the ir and passes it to the CA with the 
proper cert template.  The CA hands you back an ip that you toss back to 
the remote client.

it works.

now along comes the open source code bunch, and they grab OPENSSL and 
Gutman's open CA stuff and wrap it all with an open RADIUS and Apache  :)

you see here comes the way you can cheat with the open code.  you get your 
'commercial' SSL cert, but you do not use it as your SSL cert, rather you 
use it as your CA's root cert and create all of yoru remote certs off of 
it.  yeah it is a flagrant violation of X.509, but this way you might 
already have the root cert in your clients  :)

just the ramblings at the end of the week.  I will start on the next 
release of GETCERT.  I've a mar 2 publication deadline, but I am going to 
beat that...

>I also believe that the decision to use SSL rather than staying within the
>realm of ISAKMP was motivated by a belief that SSL is inherently more secure
>than IKE. This is something I don't believe to be true.

not in my case.  perhaps more understood?  but not even that.  SSL secures 
a TCP data flow, with the nature of the flow open to the 
application.  remote access configuration will change with time.  to lock 
it into a set of ISAKMP payloads may well be limiting.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com



From owner-ietf-ipsra@mail.vpnc.org  Tue Feb 20 10:39:14 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA14153
	for <ipsra-archive@odin.ietf.org>; Tue, 20 Feb 2001 10:39:13 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id GAA16552
	for ietf-ipsra-bks; Tue, 20 Feb 2001 06:48:14 -0800 (PST)
Received: from hippolyte.radguard.com ([192.117.11.9])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA16548
	for <ietf-ipsra@vpnc.org>; Tue, 20 Feb 2001 06:48:12 -0800 (PST)
Received: from hellman.radguard.com (unverified) by hippolyte.radguard.com
 (Content Technologies SMTPRS 4.2.1) with SMTP id <T51d92bedc2c0750b09099@hippolyte.radguard.com> for <ietf-ipsra@vpnc.org>;
 Tue, 20 Feb 2001 16:51:25 +0200
Received: from radguard.com by hellman.radguard.com (8.8.8+Sun/SMI-SVR4)
	id QAA29901; Tue, 20 Feb 2001 16:46:47 +0200 (IST)
Message-ID: <3A9282C2.E3D104C4@radguard.com>
Date: Tue, 20 Feb 2001 16:44:18 +0200
From: Sara Bitan <sarab@radguard.com>
Organization: RADGUARD
X-Mailer: Mozilla 4.7 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: IPSRA list <ietf-ipsra@vpnc.org>
Subject: PIC vs. GetCert straw poll
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

As promised, we now need to choose between PIC and GetCert for the 
product of this Working Group. We didn't get anywhere conclusive in 
the discussion of the last two weeks, but we did air out good 
technical opinions.

For this straw poll, please respond to this message, and simply say 
"PIC" or "GetCert". If you wish, you can say why, but please state 
your preference first. Please respond within two weeks from today.

Note that this is a straw poll, not a "50%+1" straight vote. In the 
IETF tradition, the WG chairs will view the results and look for 
consensus. We (the chairs) will report back to the list soon after 
the two weeks are up.

 Sara


From owner-ietf-ipsra@mail.vpnc.org  Tue Feb 20 12:33:05 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA17737
	for <ipsra-archive@odin.ietf.org>; Tue, 20 Feb 2001 12:33:05 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id IAA24449
	for ietf-ipsra-bks; Tue, 20 Feb 2001 08:45:10 -0800 (PST)
Received: from tholian.securitydynamics.com (mail.rsa.com [204.167.112.129])
	by above.proper.com (8.9.3/8.9.3) with SMTP id IAA24444
	for <ietf-ipsra@vpnc.org>; Tue, 20 Feb 2001 08:45:09 -0800 (PST)
Received: from [192.168.7.5] by tholian.securitydynamics.com
          via smtpd (for mail.vpnc.org [208.184.76.50]) with SMTP; 20 Feb 2001 16:43:32 UT
Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4])
	by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id LAA21237;
	Tue, 20 Feb 2001 11:44:08 -0500 (EST)
Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21)
	id <19301L8B>; Tue, 20 Feb 2001 11:44:07 -0500
Message-ID: <F504A8CEE925D411AF4A00508B8BE90AC22CF6@exna07.securitydynamics.com>
From: "Kavsan, Bronislav" <bkavsan@rsasecurity.com>
To: "'Sara Bitan'" <sarab@radguard.com>, IPSRA list <ietf-ipsra@vpnc.org>
Subject: RE: PIC vs. GetCert straw poll
Date: Tue, 20 Feb 2001 11:43:55 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

GetCert

-----Original Message-----
From: Sara Bitan [mailto:sarab@radguard.com]
Sent: Tuesday, February 20, 2001 9:44 AM
To: IPSRA list
Subject: PIC vs. GetCert straw poll


As promised, we now need to choose between PIC and GetCert for the 
product of this Working Group. We didn't get anywhere conclusive in 
the discussion of the last two weeks, but we did air out good 
technical opinions.

For this straw poll, please respond to this message, and simply say 
"PIC" or "GetCert". If you wish, you can say why, but please state 
your preference first. Please respond within two weeks from today.

Note that this is a straw poll, not a "50%+1" straight vote. In the 
IETF tradition, the WG chairs will view the results and look for 
consensus. We (the chairs) will report back to the list soon after 
the two weeks are up.

 Sara


From owner-ietf-ipsra@mail.vpnc.org  Tue Feb 20 14:20:33 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA21507
	for <ipsra-archive@odin.ietf.org>; Tue, 20 Feb 2001 14:20:32 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id KAA27524
	for ietf-ipsra-bks; Tue, 20 Feb 2001 10:33:12 -0800 (PST)
Received: from rc_westlake.interdyn.com ([205.147.53.144])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA27520
	for <ietf-ipsra@vpnc.org>; Tue, 20 Feb 2001 10:33:11 -0800 (PST)
Received: by RC_WESTLAKE with Internet Mail Service (5.5.2653.19)
	id <1F7PDA9V>; Tue, 20 Feb 2001 10:32:43 -0800
Received: from redcreek.com (host186.redcreek.com [209.218.26.186]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id 15AA84MV; Tue, 20 Feb 2001 10:32:37 -0800
Message-ID: <3A92AB6F.8A43E032@redcreek.com>
Date: Tue, 20 Feb 2001 10:37:51 -0700
From: Ricky Charlet <rcharlet@redcreek.com>
Organization: Redcreek Communications
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-22 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: PIC vs. GetCert straw poll
References: <3A9282C2.E3D104C4@radguard.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Sara Bitan wrote:
> 
> As promised, we now need to choose between PIC and GetCert for the
> product of this Working Group. We didn't get anywhere conclusive in
> the discussion of the last two weeks, but we did air out good
> technical opinions.
> 
> For this straw poll, please respond to this message, and simply say
> "PIC" or "GetCert". If you wish, you can say why, but please state
> your preference first. Please respond within two weeks from today.
> 
> Note that this is a straw poll, not a "50%+1" straight vote. In the
> IETF tradition, the WG chairs will view the results and look for
> consensus. We (the chairs) will report back to the list soon after
> the two weeks are up.
> 
>  Sara



 PIC

	I dont feel like implementing TLS in my embedded system if I don't have
to.

-- 
  Ricky Charlet   : Redcreek Communications   : usa (510) 795-6903


From owner-ietf-ipsra@mail.vpnc.org  Wed Feb 21 17:24:38 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA12491
	for <ipsra-archive@odin.ietf.org>; Wed, 21 Feb 2001 17:24:38 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id NAA26860
	for ietf-ipsra-bks; Wed, 21 Feb 2001 13:43:21 -0800 (PST)
Received: from fw.hel.fi.ssh.com (fw.hel.fi.ssh.com [193.64.193.124])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA26842
	for <ietf-ipsra@vpnc.org>; Wed, 21 Feb 2001 13:43:02 -0800 (PST)
Received: from viikuna.hel.fi.ssh.com (viikuna.hel.fi.ssh.com [10.1.0.46])
	by fw.hel.fi.ssh.com (SSH-1.22) with SMTP id XAA08185
	for <ietf-ipsra@vpnc.org>; Wed, 21 Feb 2001 23:43:04 +0200 (EET)
Received: (qmail 10354 invoked from network); 21 Feb 2001 21:43:03 -0000
Received: from lavuaari.hel.fi.ssh.com (HELO taulu.hel.fi.ssh.com) ([10.1.0.48]) (envelope-sender <kivinen@ssh.fi>)
          by viikuna.hel.fi.ssh.com (qmail-ldap-1.03) with SMTP
          for <ietf-ipsra@vpnc.org>; 21 Feb 2001 21:43:03 -0000
Received: (from kivinen@localhost)
	by taulu.hel.fi.ssh.com (8.9.3/8.9.3/SSH-1.13) id XAA26452;
	Wed, 21 Feb 2001 23:43:03 +0200 (EET)
X-Authentication-Warning: taulu.hel.fi.ssh.com: kivinen set sender to <kivinen@ssh.fi> using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14996.13926.880069.98523@taulu.hel.fi.ssh.com>
Date: Wed, 21 Feb 2001 23:43:02 +0200
From: Tero Kivinen <kivinen@ssh.fi>
To: Sara Bitan <sarab@radguard.com>
Cc: IPSRA list <ietf-ipsra@vpnc.org>
Subject: PIC vs. GetCert straw poll
In-Reply-To: <3A9282C2.E3D104C4@radguard.com>
References: <3A9282C2.E3D104C4@radguard.com>
X-Mailer: VM 6.88 under Emacs 20.7.2
Organization: SSH Communications Security Oy
X-Edit-Time: 1 min
X-Total-Time: 0 min
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

Sara Bitan writes:
> For this straw poll, please respond to this message, and simply say 
> "PIC" or "GetCert". If you wish, you can say why, but please state 

GetCert.
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/


From owner-ietf-ipsra@mail.vpnc.org  Thu Feb 22 03:24:07 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id DAA06021
	for <ipsra-archive@odin.ietf.org>; Thu, 22 Feb 2001 03:24:06 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id XAA02428
	for ietf-ipsra-bks; Wed, 21 Feb 2001 23:49:45 -0800 (PST)
Received: from relay1.trustworks.com (zuka.trustworks.com [212.114.5.147])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA02406
	for <ietf-ipsra@vpnc.org>; Wed, 21 Feb 2001 23:49:40 -0800 (PST)
Received: by relay1.trustworks.com (8.8.5/1.14)
	id KAA02499; Thu, 22 Feb 2001 10:49:25 +0300 (MSK)
Message-Id: <200102220749.KAA02499@relay1.trustworks.com>
Received: from svan-pc(212.114.5.100) by zuka via smap (V2.0)
	id xma002452; Thu, 22 Feb 01 10:48:41 +0300
From: "Valery Smyslov" <svan@trustworks.com>
Organization: TWS
To: IPSRA list <ietf-ipsra@vpnc.org>, Sara Bitan <sarab@radguard.com>
Date: Thu, 22 Feb 2001 10:48:31 +0300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: PIC vs. GetCert straw poll
In-reply-to: <3A9282C2.E3D104C4@radguard.com>
X-mailer: Pegasus Mail for Win32 (v3.12b)
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7BIT

On 20 Feb 01, at 16:44, Sara Bitan wrote:

PIC.

Valery Smyslov,
TrustWorks Systems.

> As promised, we now need to choose between PIC and GetCert for the 
> product of this Working Group. We didn't get anywhere conclusive in 
> the discussion of the last two weeks, but we did air out good 
> technical opinions.
> 
> For this straw poll, please respond to this message, and simply say 
> "PIC" or "GetCert". If you wish, you can say why, but please state 
> your preference first. Please respond within two weeks from today.
> 
> Note that this is a straw poll, not a "50%+1" straight vote. In the 
> IETF tradition, the WG chairs will view the results and look for 
> consensus. We (the chairs) will report back to the list soon after 
> the two weeks are up.
> 
>  Sara
> 




From owner-ietf-ipsra@mail.vpnc.org  Thu Feb 22 12:57:29 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA20586
	for <ipsra-archive@odin.ietf.org>; Thu, 22 Feb 2001 12:57:26 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id JAA22564
	for ietf-ipsra-bks; Thu, 22 Feb 2001 09:03:58 -0800 (PST)
Received: from rc_westlake.interdyn.com ([205.147.53.144])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA22557
	for <ietf-ipsra@vpnc.org>; Thu, 22 Feb 2001 09:03:57 -0800 (PST)
Received: by RC_WESTLAKE with Internet Mail Service (5.5.2653.19)
	id <F3P4PDKC>; Thu, 22 Feb 2001 09:03:23 -0800
Received: from redcreek.com (host43.redcreek.com [209.218.26.43]) by exchange.redcreek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
	id F3KS9ZHT; Thu, 22 Feb 2001 09:03:23 -0800
Message-ID: <3A95466B.1ACEB6B3@redcreek.com>
Date: Thu, 22 Feb 2001 09:03:39 -0800
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: Sara Bitan <sarab@radguard.com>
CC: IPSRA list <ietf-ipsra@vpnc.org>
Subject: Re: PIC vs. GetCert straw poll
References: <3A9282C2.E3D104C4@radguard.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

PIC

Sara Bitan wrote:
> 
> As promised, we now need to choose between PIC and GetCert for the
> product of this Working Group. We didn't get anywhere conclusive in
> the discussion of the last two weeks, but we did air out good
> technical opinions.
> 
> For this straw poll, please respond to this message, and simply say
> "PIC" or "GetCert". If you wish, you can say why, but please state
> your preference first. Please respond within two weeks from today.
> 
> Note that this is a straw poll, not a "50%+1" straight vote. In the
> IETF tradition, the WG chairs will view the results and look for
> consensus. We (the chairs) will report back to the list soon after
> the two weeks are up.
> 
>  Sara


From owner-ietf-ipsra@mail.vpnc.org  Thu Feb 22 21:00:52 2001
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA02974
	for <ipsra-archive@odin.ietf.org>; Thu, 22 Feb 2001 21:00:51 -0500 (EST)
Received: by above.proper.com (8.9.3/8.9.3) id RAA19201
	for ietf-ipsra-bks; Thu, 22 Feb 2001 17:27:44 -0800 (PST)
Received: from gate.internaut.com ([64.38.134.108])
	by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA19197
	for <ietf-ipsra@vpnc.org>; Thu, 22 Feb 2001 17:27:42 -0800 (PST)
Received: from e1kj2 (e1kj2 [64.38.134.109])
	by gate.internaut.com (8.10.2/8.10.2) with SMTP id f1N1L0v02203
	for <ietf-ipsra@vpnc.org>; Thu, 22 Feb 2001 17:21:00 -0800
From: "Bernard Aboba" <aboba@internaut.com>
To: "IPSRA list" <ietf-ipsra@vpnc.org>
Subject: RE: PIC vs. GetCert straw poll
Date: Thu, 22 Feb 2001 17:28:58 -0800
Message-ID: <OJEJKOMOEAKLMOILFCPJIEMIEBAA.aboba@internaut.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4133.2400
In-Reply-To: <F504A8CEE925D411AF4A00508B8BE90AC22CF6@exna07.securitydynamics.com>
Importance: Normal
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-ID: <ietf-ipsra.vpnc.org>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit

The "new and improved" GETCERT (the CMP-based version Bob has been talking
about)


-----Original Message-----
From: Sara Bitan [mailto:sarab@radguard.com]
Sent: Tuesday, February 20, 2001 9:44 AM
To: IPSRA list
Subject: PIC vs. GetCert straw poll


As promised, we now need to choose between PIC and GetCert for the
product of this Working Group. We didn't get anywhere conclusive in
the discussion of the last two weeks, but we did air out good
technical opinions.

For this straw poll, please respond to this message, and simply say
"PIC" or "GetCert". If you wish, you can say why, but please state
your preference first. Please respond within two weeks from today.

Note that this is a straw poll, not a "50%+1" straight vote. In the
IETF tradition, the WG chairs will view the results and look for
consensus. We (the chairs) will report back to the list soon after
the two weeks are up.

 Sara