[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: introduction; certificates & proxy authentication.
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
Bill> Now, perhaps the following belongs on the ipsec WG list, but
Bill> since the topic came up on the conference call today.
Yes, it *does* belong on ipsec. Will you repost to ipsec?
Bill> For instance, you may have a network looking vaguely like:
Bill> user <-> GWA <-> GWB ...
Bill> where user already has set up SA's with GWA, and GWA is
Bill> negotiating with GWB and proxying for `user'.
Bill> Now, certificates bind a set of attributes to a public key,
Bill> and implicitly link those attributes to the *holder* of the
Bill> private part of that key; there's not much point in passing
Bill> around a certificate except to link the attributes in the
Bill> certificate to something signed by the certified key.
This was the crux of my point in Montreal. I am still hoping that
Bob will release his document RSN. I (at least) never got a copy of
his requirements document for his "challenge" either...
I have come to the conclusion that this signature shall be done out
of band to ISAKMP for now.
Bill> I don't see any place where a protocol is defined which
Bill> allows `GWA' to ask `user' to sign something destined for
Bill> GWB, to prove to GWB that the user is really there.. Merely
Bill> forwarding the cert doesn't prove anything; GWA could have
Bill> pulled the cert out of the certificate directory..
There needs to be certificates which grant "gateway" or "firewall"
authority from "user" to "GWA". This is one of the most important
certificates that the IPSEC group has to define later this
summer. (Does the chair agree that this is important work, and to the
timing of this work?)
Bill> So, is the model that GWB trusts GWA's claim that `user' has
Bill> successfully authenticated to GWA? If so, this may be
Bill> expedient, but I don't think it's a scalable trust model..
Bill> What am I missing?
Nothing I think. You are bang on.
:!mcr!: | Network security consulting and
Michael Richardson | contract programming
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBM1eP7qZpLyXYhL+BAQFXmwMAwSnPxu4aHkcosT9xOvrGtl3akcrzqk3s
tHKA74HRf3KPD+Gr4yM859RECrDYvoHyjBpamIIi1kaSKQdCQnjqScnMrWfUCrJA
4nZjCXP3T3rsDy1NDwM8lpi5TWUYy5bG
=iw/g
-----END PGP SIGNATURE-----
Follow-Ups: