-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is in response to the mail posted by Thor Lancelot Simon. The original mail is available at http://www.securityfocus.com/archive/1/347351 in which Thor has listed two issues. Documented below is Cisco's response to them. Issue #1: Cisco addressed this issue as part of CSCdw87717 wherein the Cert Domain Name verification feature was implemented. This issue has been documented under the Cisco security advisory http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml. Issue #2: This is a widely known common aspect of the Pre Shared Keys (PSK) authentication mechanism since 1999. With PSK, there is no way for a client to identify what is on the other side of the connection except that the other side has the same PSK. The use of Digital Certificates as part of PKI for authentication or per user PSK are the only current solution to this aspect of using PSKs. It is a choice which network administrators must make between ease of use versus stronger security. Additionally, there is another IETF draft specification that Cisco is in the process of evaluating, for its VPN 3000 product line, called CRACK (Challenge Response Authentication of Cryptographic Keys). More information available at http://www.nwfusion.com/links/Encyclopedia/C/722.html. Cisco is incorporating this authentication scheme in an upcoming release for the Cisco VPN 3000 series concentrators. The Cisco VPN client should be supporting it in the future. Brgds, Sharad - -- Sharad Ahlawat Cisco Product Security Incident Response Team (PSIRT) http://www.cisco.com/go/psirt Phone:+1 (408) 527-6087 PGP-key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC12A996C -----BEGIN PGP SIGNATURE----- Comment: PGP Signed by Sharad Ahlawat iD8DBQE/2p9aGoGomMEqmWwRAmM+AJ97lW3LdYAW4WN0LMbx/FN5rkdf+QCdFQ6U WBbCX0je3eQKjv7IuzHZRHQ= =abwG -----END PGP SIGNATURE-----
