[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: introduction; certificates & proxy authentication.



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
    Bill> Now, perhaps the following belongs on the ipsec WG list, but
    Bill> since the topic came up on the conference call today.

  Yes, it *does* belong on ipsec. Will you repost to ipsec?

    Bill> For instance, you may have a network looking vaguely like:

    Bill> 	user <-> GWA <-> GWB ...

    Bill> where user already has set up SA's with GWA, and GWA is
    Bill> negotiating with GWB and proxying for `user'.

    Bill> Now, certificates bind a set of attributes to a public key,
    Bill> and implicitly link those attributes to the *holder* of the
    Bill> private part of that key; there's not much point in passing
    Bill> around a certificate except to link the attributes in the
    Bill> certificate to something signed by the certified key.

  This was the crux of my point in Montreal. I am still hoping that
Bob will release his document RSN. I (at least) never got a copy of
his requirements document for his "challenge" either...
  I have come to the conclusion that this signature shall be done out
of band to ISAKMP for now. 

    Bill> I don't see any place where a protocol is defined which
    Bill> allows `GWA' to ask `user' to sign something destined for
    Bill> GWB, to prove to GWB that the user is really there..  Merely
    Bill> forwarding the cert doesn't prove anything; GWA could have
    Bill> pulled the cert out of the certificate directory..

  There needs to be certificates which grant "gateway" or "firewall"
authority from "user" to "GWA". This is one of the most important
certificates that the IPSEC group has to define later this
summer. (Does the chair agree that this is important work, and to the
timing of this work?)

    Bill> So, is the model that GWB trusts GWA's claim that `user' has
    Bill> successfully authenticated to GWA?  If so, this may be
    Bill> expedient, but I don't think it's a scalable trust model..

    Bill> What am I missing?

  Nothing I think. You are bang on.

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBM1eP7qZpLyXYhL+BAQFXmwMAwSnPxu4aHkcosT9xOvrGtl3akcrzqk3s
tHKA74HRf3KPD+Gr4yM859RECrDYvoHyjBpamIIi1kaSKQdCQnjqScnMrWfUCrJA
4nZjCXP3T3rsDy1NDwM8lpi5TWUYy5bG
=iw/g
-----END PGP SIGNATURE-----


Follow-Ups: