Hilarie, >TCP requires IP, so the IETF guidelines cannot be >taken too seriously in the regard to banning protocol dependencies! Yes, they are only loose recommendations, and I believe (not having the exact RFC in front of me) that the intent was to minimise the interaction between major subsystems and not specific protocols. >Why isn't DNSSEC the appropriate minimal common basis for authentication? This seems to be a strong direction of recent mailing list discussion... DNSSEC is one way to format and distribute certificates. It also implies a specific trust model and naming based on DNS. An IPsec specification should provide recommendations for the minimum required certificate format for IPsec authentication. For ISAKMP, I do not see why certificate distribution is required. Peer systems can readily exchange all required certificates directly, so a certificate distribution system like DNS may not be required. Paul -------------------------------------------------------------- Paul Lambert Director of Security Products Oracle Corporation Phone: (415) 506-0370 500 Oracle Parkway, Box 659410 Fax: (415) 413-2963 Redwood Shores, CA 94065 palamber@us.oracle.com !!! Still hiring, send resumes to: palamber@us.oracle.com !!! --------------------------------------------------------------
-- BEGIN included message
- To: PALAMBER@us.oracle.com
- Subject: Re: DNS? was Re: Key Management, anyone?
- From: "Hilarie Orman " <ipsec-approval@neptune.hq.tis.com>
- Date: 01 Aug 96 05:15:04
- Cc: ipsec@tis.com
I agree with the individual points, but I'm not convinced by the conclusion. Why isn't DNSSEC the appropriate minimal common basis for authentication? I believe we need such a basis, and DNSSEC seems to be the obvious choice. This wouldn't rule out the optional use of other methods. TCP requires IP, so the IETF guidelines cannot be taken too seriously in the regard to banning protocol dependencies!
-- END included message