[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt



well, if we're re-opening this worm can, then...

why end system and not gateway?  If I have a router that
is a gateway in front of 3000 hosts, do I claim to
be an End System?  I certainly shouldn't claim to be
a 'user' as there's no human associated with it, right?

I thought we had consensus that we wanted to say "IPsec thing"
or something non-commital as to user, end system, gateway,
garage door opener, or anything else running IPsec.

Do we want to pull the OID's out of my draft (and what,
deprecate them out of the IANA registry?), or do we want
to pull/alter the ones in 2459?

At 02:40 PM 8/2/99 -0400, Stephen Kent wrote:
>Mark,
>
>IPsec, unlike SSL, has no client or server roles.  It is a peer
>communication protocol.  So, I am not so keen to put in distinctions of the
>sort you mentioned.  Aslo, the following OIDs are from 2459, and they don't
>contain an "ipsec server" entry:
>
>KeyPurposeId ::= OBJECT IDENTIFIER
>
>-- extended key purpose OIDs
>id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
>id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
>id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
>id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
>id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
>id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
>id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
>id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
>
>
>I hate to admit it, as co-chair of PKIX, but I'm not sure why we have an
>ipsecTunnel entry here.  User and EndSystem make sense, but not tunnel.
>
>Steve  



Follow-Ups: References: