[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ISAKMP Extended Authentication

To: "'Tero Kivinen'" <kivinen@ssh.fi>
Subject: RE: ISAKMP Extended Authentication
From: Greg Carter <greg.carter@entrust.com>
Date: Tue, 24 Nov 1998 14:51:54 -0500
Cc: John Irish <irishjd@erols.com>, IPSEC <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

> ----------
> From: 	Tero Kivinen[SMTP:kivinen@ssh.fi]
> Sent: 	Tuesday, November 24, 1998 2:35 PM
> To: 	Greg Carter
> Cc: 	John Irish; IPSEC
> Subject: 	RE: ISAKMP Extended Authentication
> 
> 
> If the other end trusts the host, it trusts the host. If the other end
> doesn't trust the host, there is no use to try to authenticate the
> host, and we just use end user certificate directly.
> 
> 
That's the problem the other end does NOT trust the host, it trusts only the
CA for identity binding.  In order for the host to be able to create these
short lived certificates the hosts would have to be certified as CA's (i.e.
basicConstraints set to CA and have Certificate Sign bit turned on in key
usage).  You may be able to argue that with path constraints you could
narrow what that host would be able to sign, but if you tried to narrow the
available set of users for a particular host it probably wouldn't have much
practical use (I could be wrong).  In the end I don't think you will find
many customers willing to have 'hosts' acting as CA's .


Bye.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com

Follow-Ups:

RE: ISAKMP Extended Authentication

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: RE: ISAKMP Extended Authentication
Next by Date: Re: ISAKMP Extended Authentication
Prev by thread: Re: ISAKMP Extended Authentication
Next by thread: RE: ISAKMP Extended Authentication
Index(es):
- Main
- Thread