[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: introduction; certificates & proxy authentication.

To: ipsec@tis.com, anx-sec@dot.netrex.net
Subject: Re: introduction; certificates & proxy authentication.
From: Daniel Harkins <dharkins@cisco.com>
Date: Fri, 18 Apr 1997 09:18:09 -0700
In-Reply-To: Your message of "Fri, 18 Apr 1997 11:15:02 EDT." <199704181515.LAA07342@amaterasu.sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com

>   There needs to be certificates which grant "gateway" or "firewall"
> authority from "user" to "GWA". This is one of the most important
> certificates that the IPSEC group has to define later this
> summer. (Does the chair agree that this is important work, and to the
> timing of this work?)

  How about adding another record in (secure) DNS analogous to the MX
record? This thing (KX?) would say "if you want to talk to blah.cisco.com 
negotiate with gw1.cisco.com or gw2.cisco.com". That idea has been floated
around several times. It solves the problem and scales beautifully. 

  It seems better than defining another certificate. And isn't SPKI doing 
that work anyway?

  Dan.

References:

Re: introduction; certificates & proxy authentication.

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: CBC IV generation in ISAKMP/Oakley
Next by Date: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Prev by thread: Re: introduction; certificates & proxy authentication.
Next by thread: certificates & proxy authentication.
Index(es):
- Main
- Thread