North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: PKI for medium scale network operations
I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned by this fire though... On Sat, 26 Mar 2005, Sean Donelan wrote: > > Most people figured out I was not looking for a "public" CA solution. > There is very little reason why internal certificates need to be > recognized world-wide, or by anything outside of the internal > organization. Also I didn't say it, but I'm not looking to identify > natural people. > Kerb could also do this for you, routers (IOS atleast) already support Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this meet the need for authentication type things? > Instead of using community names for SNMP or shared secrets for VPN, > an alternative for a network operator is some form of public/private > keys. > You could, I'm fairly certain, hack in kerb auth to VPN clients and possibly to SNMP, though I admit to not being an ASN.1 expert either :( (kerb and snmp use this in their packing methods, rigth?) > Several people pointed out certificates don't fix the compromised > device problem. Public/private key pairs are only as secure as the > private key. The length of the key doesn't matter if you can get > a copy of the private key. It's the compromised device problem that was the white-hot-flame-of-love for the last PKI deployment I witnessed in action... Anwyay, Kerberos? Might it also be considered for your situation? -Chris
|