[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names

To: rodney@tillerman.nu
Subject: RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
From: Dave Mason <dmason@tis.com>
Date: Fri, 11 Sep 1998 12:37:26 -0400 (EDT)
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

>It seems to me that all this "but the CA said it was ok" logic ignores the possibility that the private key might be stolen.  I am not arguing with the fact the CA said it was ok, I am thinking about the case where the situation has changed, and, for example, the private key got stolen (i.e. the router was stolen and is now sitting on some other network with a different IP address.)

If it's marked as a non-mobile certificate in the policy database, the
database would restrict the ip addresses allowed for the remote end.
Having the ip address in the certificate might shrink the policy database
a little (but probably not) and would just enlarge the certificate.

-dmason

Follow-Ups:

Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Next by Date: issues with IKE that need resolution
Prev by thread: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Next by thread: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Index(es):
- Main
- Thread