[VPN] Checkpoint NG FP2

George W. Capehart gwc at capehassoc.com
Thu May 1 18:04:25 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 01 May 2003 04:30 am, Siddhartha Jain wrote:
> If you have two boxes, A and B, then both must know
> each other's certifying authorities. Or both must have
> certificates issued from the same CA. A presents a
> cert to B, how does B validate that its valid?? By
> checking with its own CA or by checking with A's CA.
> Get this straight if you want to use certificate based
> IKE.
>
> Yes, you can use pre-shared keys in Checkpoint. But
> using certs is definitely more secure and robust.

IFF:

 o The CA hierarchy is traversed to the root CA
 o You trust/believe the root CA
 o The CAs maintain up-to-date CRLs and they are checked
 o etc.

Certs *may* be more secure and robust.  See 
http://www.counterpane.com/pki-risks.pdf and the IETF PKIX mailing 
list, etc. for "mitigating factors."  When used and managed 
inappropriately, it is very easy to get a false sense of security from 
PKIs . . . It's not easy to use certs securely.  |-}

/g
- -- 
George W. Capehart

"With sufficient thrust, pigs fly just fine . . ."
 -- RFC 1925

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+sZn3PhMbfSg3fpARAmnAAJwIkOuyUvgcXZkFh/Esr4evzKdEEACg+lml
flJfaph/gD35yuk40hBaW4g=
=w4GJ
-----END PGP SIGNATURE-----



More information about the VPN mailing list