Re: issues with IKE that need resolution

[Stephen Kent <kent@bbn.com>]

Rodney,

>What do you want certificates to contain for these other ID types?  People
>have asked me, off and on, about subnets having their own certificates and
>other cases.  Sounds reasonable to me, but I can just see some PKI service
>provider blanching at the notion of issuing a certificate for an entire
>class A subnetwork.

As it turn out, we are working on a DARPA program to deploy certificate
issuance capabilities to the IANA and it's designees (ARIN, RIPE, APNIC),
that would result in issuing certificates that align exactly with portions
of the IPaddress space.  The PKI for this would have IANA as the root and
would exactly align with current (and historical) practice for assignment
of IP (v4) address space allocations.  The focus of the program is BGP
security and thus would not go so far as to hand out certificates to those
who do not run BGP. However, if there is a demand for such certs due to
IPsec, it would be well within the ability of this PKI to issue certs to
address space owners who request them, even though they are not BGP users.
What is needed to make this work is a pull from ISPs who hear from their
clients that the existance of this PKI would benefit the clients who are
working to establish VPNs.

Comments?

Steve

---

Follow-Ups:

• Re: issues with IKE that need resolution
• From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

References:

• Re: issues with IKE that need resolution
• From: "Scott G. Kelly" <skelly@redcreek.com>
• issues with IKE that need resolution
• From: Daniel Harkins <dharkins@cisco.com>
• Re: issues with IKE that need resolution
• From: Rodney Thayer <rodney@tillerman.nu>

---

• Prev by Date: Re: issues with IKE that need resolution
• Next by Date: Re: issues with IKE that need resolution
• Prev by thread: Re: issues with IKE that need resolution
• Next by thread: Re: issues with IKE that need resolution
• Index(es):
  • Main
  • Thread