Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 04 > 033062.html (Request Expert lists.freeswan.org Support)

Re: [Users] Announce: FreeS/WAN Project Ending

From: Wes Hardaker <wes(at)hardakers.net>
Date: Tue Mar 09 2004 - 10:11:28 EST

>>>>> On Tue, 9 Mar 2004 13:15:26 +0100 (MET), Paul Wouters <paul@xtdnet.nl> said:

>> I can partly understand the frustration about the minimal adoption of
>> OE. But the REAL problem for OE is that there is no easy way to use it
>> as a standard end user. 

Paul> I don't entirely agree, but I can see some of your point
Paul> here. If servers, who usually have control of their DNS, deploy
Paul> OE, then the setup for the enduser consists of having a valid
Paul> FQDN, and have control over that DNS entry. That in general is
Paul> not a problem. There are plenty free forward dns services
Paul> available if you can't afford $9.99 for your own domain.

If you want to put a system like OE in place and have it widely used, you need to make it simple for end-users to deploy. This means make it easy to setup, and to not require infrastructure that the majority of the users may not have access to. This is where OE failed. Requiring access to a reverse DNS infrastructure made it difficult to set up. I have servers and hosts with FQDN naming systems, but do not have access to the reverse address half of DNS. I suspect this is really common. (When I mentioned this difficulty a long time ago on this list when OE was first getting started, the opinion at the time was "get a new ISP that lets you have more control). The majority of end-users (at least in the US with the ISPs available here) do not have access to reverse DNS servers. A small fraction probably do have their own FQDN addresses, but it's still a only fraction as you'd have to need it to want it. The final missing piece was an easy tool to publicize your key. Currently, not only did you need access to appropriate DNS servers but you had to put the key in by hand. There is no automated way to do this, which would have helped make the system more successful (IE, trivial to use). Throw in dynamic IP addresses and everything goes further on its way to being a pain for users.

Lets look at 2 systems that have had more success:

  1. PGP. pgp has key servers to help connect 2 otherwise unknown-to-each-other end-users. This is similar to how DNS is being used for OE, with one significant difference: pgp has an easy to publish mechanism. You just call pgp with some argument to publish your key to the server (EG, gpg --send-keys). Done. gpg even has options to auto-search key servers if it doesn't have a key when verifying a signature (IE, it'll try without you explicitly asking it to). This is *much* easier to use than what OE required and, as a result, has had greater penetration.
  2. SSH. ssh exchanges the public keys in the first connection, asking the user "hey, there is a new key. Trust it?". It's automatic. You can't *not* use it. It warns you when things change. The important part though is that it is self-initializing. The result: excellent deployment. (In contrast, it would be more difficult for OE to use a technique like this since OE is set up behind the application not in it, but it would still be possible [details if you really want them]).

OE is a good technology with good goals. But to say that you're disappointed in its ability to penetrate the market, well you have to ask yourself "why?". The answer should be fairly clear: the designs are not accommodating to the end-user trying to deploy it. They're well designed security-wise, but well designed ideal s


FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Tue Mar 9 10:18:28 2004

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:11 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library