On Tue, Apr 12, 2011 at 3:03 PM, Dan Harkins <dhark...@lounge.org> wrote: > On Tue, April 12, 2011 12:45 pm, Nico Williams wrote: >> So you're for at least one authentication framework. Only you weren't >> aware of it. Or what did I miss this time? :) > > No I don't think you missed it. The "framework" is just IKE and if > we want to use a credential in IKE we should use it directly and in the > most robust and misuse resistant way possible. In my opinionated opinion, > putting a pluggable framework, like EAP, into IKE was a mistake and > putting in another to use some particular credential would compound that > mistake.
I can understand your frustration with EAP... but look, SSHv2 also has its own framework and... we ended up adding the option to use another framework because it was easier that way to add support for all the authentication mechanisms that we needed in SSHv2. I predict exactly the same progression will happen here, if you go down this path. So what do we gain? Well, there is expediency -- you might implement and deploy something very quickly that works for a few people now who need this now. Expediency is not a laughable argument, so I won't be too upset if that's the argument that gets invoked here. But if we can foresee that this framework will grow and need the same sorts of mechanisms that are available elsewhere... why not do it the Right Way (tm) from the get go? _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
