Re: Discussion of an app-layer API for IPsec

> >I basically think that IPsec is nearly useless without an application-layer
> >API,
> Creating secure WANs is a pretty large market...

granted.  perhaps I should have said "nearly useless to applications".
(of course, just because something has a large market doesn't necessarily
mean it's useful)

> >  but the API needs to not only make applications aware of whether
> >a security association has been established (along with the credentials
> >so that the application can evaluate them for itself)
> Right
> >  but also allow
> >the application to control the credentials that are used when establishing
> >SAs.
> That's assuming that the API allows SA creation. I think that is a
> separate API from "am I already covered", and one tha will be much
> harder to design.

granted that it will be much harder to design, but the idea that the
end hosts can decide how to set up an SA suitable to authenticate to
applications, without the applications being involved, strikes me as
extremely dubious.  which is why I've never felt like IPsec was very
valuable without an application-layer API.


Received on Monday, 7 May 2001 20:27:58 UTC