[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
well, if we're re-opening this worm can, then...
why end system and not gateway? If I have a router that
is a gateway in front of 3000 hosts, do I claim to
be an End System? I certainly shouldn't claim to be
a 'user' as there's no human associated with it, right?
I thought we had consensus that we wanted to say "IPsec thing"
or something non-commital as to user, end system, gateway,
garage door opener, or anything else running IPsec.
Do we want to pull the OID's out of my draft (and what,
deprecate them out of the IANA registry?), or do we want
to pull/alter the ones in 2459?
At 02:40 PM 8/2/99 -0400, Stephen Kent wrote:
>Mark,
>
>IPsec, unlike SSL, has no client or server roles. It is a peer
>communication protocol. So, I am not so keen to put in distinctions of the
>sort you mentioned. Aslo, the following OIDs are from 2459, and they don't
>contain an "ipsec server" entry:
>
>KeyPurposeId ::= OBJECT IDENTIFIER
>
>-- extended key purpose OIDs
>id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
>id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
>id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
>id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
>id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 }
>id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 }
>id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 }
>id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
>
>
>I hate to admit it, as co-chair of PKIX, but I'm not sure why we have an
>ipsecTunnel entry here. User and EndSystem make sense, but not tunnel.
>
>Steve
Follow-Ups:
References: