Re: IPsec and firewalls

[Aleph One <aleph1 () dfw dfw net>]

On Sat, 7 Feb 1998 carson () tla org wrote:

> _Every_ authentication scheme relies on a trusted 3rd party of some
> sort. The only question is who is trusted, and when that trust must be
> validated. If you make your proxy/firewall/nat/whatever a trusted CA, you
> can proxy just about anything, including stripping ActiveX from HTTP over
> SSL sessions. I agree that it would be nice for this "trusted spoofing" or
> "friendly man in the middle" approach to be designed in rather than
> reverse-engineered.

Not necessarily. The typical example is that of users using a pseudonym. I
may accept a key from them on our initial contact without verifying it
with a trusted third party (as it is a pseudonym and there is not one to
trust) yet every time after that I have their key and verify I was talking
to the same person I was taking the first time. In any case I will not
always want to authenticate. I may just want to encrypt the session and a
simple key exchange is all that is needed. No need to verify anything with
a third party.

> -- 
> Carson Gaspar -- carson () cs columbia edu carson () tla org carson () cugc org
> http://www.cs.columbia.edu/~carson/home.html
> Queen Trapped in a Butch Body

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01