- From: Keith Moore <moore@cs.utk.edu>
- Date: Mon, 07 May 2001 20:27:25 -0400
- To: Paul Hoffman / IMC <phoffman@imc.org>
- cc: discuss@apps.ietf.org
> >I basically think that IPsec is nearly useless without an application-layer > >API, > > Creating secure WANs is a pretty large market... granted. perhaps I should have said "nearly useless to applications". (of course, just because something has a large market doesn't necessarily mean it's useful) > > but the API needs to not only make applications aware of whether > >a security association has been established (along with the credentials > >so that the application can evaluate them for itself) > > Right > > > but also allow > >the application to control the credentials that are used when establishing > >SAs. > > That's assuming that the API allows SA creation. I think that is a > separate API from "am I already covered", and one tha will be much > harder to design. granted that it will be much harder to design, but the idea that the end hosts can decide how to set up an SA suitable to authenticate to applications, without the applications being involved, strikes me as extremely dubious. which is why I've never felt like IPsec was very valuable without an application-layer API. Keith
Received on Monday, 7 May 2001 20:27:58 UTC