[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IBM VPN Bakeoff Issues

To: "Roy Pereira" <rpereira@TimeStep.com>
Subject: Re: IBM VPN Bakeoff Issues
From: "Christopher McCann" <Chrism@frontiertech.com>
Date: Fri, 6 Nov 1998 11:42:23 -0600
Cc: "TIS" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

>> 17. The HASH payload must be the first payload in a info/new group

  >> exchange.  This isn't clear in the documents.

>From the draft-ietf-isakmp-oakley-08 draft, section 5.7 and I quote:

   If the ISAKMP security association has not yet been established at
   the time of the Informational Exchange, the exchange is done in the
   clear without an accompanying HASH payload.

I also don't understand why we would want to do this:

>> 36. X.500 DN is a valid ID type when doing shared-secret authentication

To me,  shared secret authentication is for allowing IKEs that don't have
any knowledge of LDAPs or certificates.  Requiring X.500 DN names is hard to
express by an administrator without some sort of knowledge about getting the
DN name from an LDAP or certificate.  I would like to see this requirement
go away.  I don't mine tying shared secrets to e-mail addresses or fully
qualified domain names since these can be expressed easily, but getting the
DN name correctly would be a nightmare.  Let's drop this requirement.

Chris McCann

Prev by Date: Re: IBM VPN Bakeoff Issues
Next by Date: Paul Koning: Re: IBM VPN Bakeoff Issues
Prev by thread: Re: IBM VPN Bakeoff Issues
Next by thread: RE: IBM VPN Bakeoff Issues
Index(es):
- Main
- Thread