[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISAKMP certificat exchange using transaction exchanges

To: ipsec@tis.com
Subject: ISAKMP certificat exchange using transaction exchanges
From: SALLE Mathias <matsal@hplb.hpl.hp.com>
Date: Wed, 25 Nov 1998 16:25:56 +0000
Sender: owner-ipsec@ex.tis.com

Hi,
Thanks for any comments on the following.

SUBJECT: Extension of configuration attributes for
draft-ietf-ipsec-isakmp-mode-cfg-04.txt.
REFERENCE: draft-ietf-ipsec-isakmp-mode-cfg-04.txt pages 5 and 6.
PURPOSE: Transfert a user's SKPI certificates using a transaction
exchanges.
I am trying to find the best solution in order to transfert a user SPKI
certificate within an IPSec connection establishment. 
Note that the SPKI certificate is not used to authenticate the host but
to send user's permissions

SCENARIO:
A user using host H1 access a file on host H2. To access this file, the
user needs to provide a SPKI certificate. 
We are trying here to make this transfert of certificate independant of
the application. 
The idea is to use the IPSec connection establishment to send the
required certificate.
A solution would be to use the transaction exchanges define in
<draft-ietf-ipsec-isakmp-mode-cfg-04.txt> pages 5 and 6.
In such a case, the ISAKMP transaction will be as follows:

   Initiator (H2)                           Responder (H1)
 -----------------                      ---------------------
HDR*, HASH, ATTR1(REQUEST)   -->
                                                                                                     
<--       HDR*,HASH,ATTR2(REPLY)

where
ATTR1(REQUEST) =
    SPKI_CERTIFICATE()

ATTR2(REPLY) =
    SPKI_CERTIFICATE(certificate)

In this scenario, the certificate is just transported by the transaction
exchange and at the IPSec level, there is no use of this certificate.

QUESTIONS:
In  <draft-ietf-ipsec-isakmp-mode-cfg-04.txt> you say: "It is hoped that
more attribute types will be defined in the future documents. Some
suggestions would be to distribute local policy, or even authenticate
certificates."

1. Would it be interesting to add this kind of configuration attributes?

2. The transaction exchange will happen after completion of ISAKMP phase
I and therefore the payload will be encrypted. 
Do you think that the certificate needs to be signed by the host H1 so
that H2 knows that the received certificate is the one of the user using
H1 or the ISAKMP header (in particular COOKIE-I and COOKIE-R)  is enough
to know that it is the right certificate?

3. The extended authentication within ISAKMP/Oakley does not mention the
use of SPKI certificates? 
As it could be seen as a one way authentication (and more than just
authentication), would it be interesting to have a look at it?

4. There is a lot of emails around ISAKMP/Oakley Certificate Exchange
but this exchange happens during PhaseI and not after. What are the
benefit of this approach compare to the use of Transaction Exchange?

5. Lastly, it is possible that I am smoking somewhere mixing 2 things
that should not be mixed together, therefore, I will appreciate your
views on that.


Thanks a lot

best regards,

Mathias
-- 
___________________________________________
Mathias SALLE
Networked Systems Dpt.
Hewlett-Packard Research Labs
Filton Road
Stoke Gifford
Bristol  BS12 6QZ, UK

E-mail: matsal@otter.hpl.hp.com
Tel   : +44 (0)117 922 9753
___________________________________________

Prev by Date: No Subject
Next by Date: Re: ISAKMP Extended Authentication
Prev by thread: ISAKMP/Oakley - Certificate exchange
Next by thread: Its officially official now!
Index(es):
- Main
- Thread