[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New IPSec Monitoring MIB draft
- To: Lewis McCarthy <lmccarth@cs.umass.edu>
- Subject: Re: New IPSec Monitoring MIB draft
- From: Tero Kivinen <kivinen@ssh.fi>
- Date: Mon, 1 Feb 1999 15:39:55 +0200 (EET)
- Cc: IP Security WG List <ipsec@tis.com>
- In-Reply-To: <36B4E0A2.F7FC3379@cs.umass.edu>
- Organization: SSH Communications Security Oy
- References: <319A1C5F94C8D11192DE00805FBBADDF7750E8@exchange><199901292217.RAA10569@brill.shiva.com><199901300329.FAA06680@torni.ssh.fi><36B4E0A2.F7FC3379@cs.umass.edu>
- Sender: owner-ipsec@ex.tis.com
Lewis McCarthy writes:
> > Yes, you can have multiple certificates, but at the end you only have
> > ONE end user public key you use in the authentication take from the
> > certificate. There isn't a reason to include the whole path, only the
> > end user certificate used in the authentication is really interesting.
> This last point isn't obvious to me. In view of the work on trust metrics
> for certification paths, I imagine that examining the whole path might be
> useful. Since the overall authentication relies upon the entire path, I'm
> not sure why you would single out the terminal cert for inclusion in the MIB.
Mostly, because that information can be quite large, and getting it
can be quite hard. Also the management statition etc can do the same
path validation procedures than the ike did if it wants.
One thing we might want to add is to add table of trusted
CA-certificates in the MIB, so the management station etc can do that
path finding itself.
I just don't see currently any reason to include all of the
certificates used in the authentication, and including them doesn't
provide any usefull information that is not available already.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
Follow-Ups: