Hi Rodney Thayer wrote: > > why end system and not gateway? If I have a router that > is a gateway in front of 3000 hosts, do I claim to > be an End System? I certainly shouldn't claim to be > a 'user' as there's no human associated with it, right? I think ipsecTunnel makes perfect sense here. You are specifically saying that this device is allowed to offer tunneling. > I thought we had consensus that we wanted to say "IPsec thing" > or something non-commital as to user, end system, gateway, > garage door opener, or anything else running IPsec. You definitely want to have SOME way to differentiate, so that you can issue certificates to users under a different policy easily, and have your infrastructure recognize and act on the differentiation. But perhaps this differentiationshould be done based on the subjectAltName? Here's my concern. Say we want to issue 5,000 IPSEC certs to clients for remote access. And we have 10 routers that need to talk to one another. We install the CA cert on the routers. Now someone steals the key for one of our client certs (usually not hard to do if any one of the 5,000 will work). Can they install that "client" cert on a router and make it insert itself as a magical router number 11, since it has a cert issued by the CA? How will the other routers know to reject the client cert when it tries to behave like a router? Is it because it might have an emailAddress subjectAltName instead of an iPAddress/dNSName? > Do we want to pull the OID's out of my draft (and what, > deprecate them out of the IANA registry?), or do we want > to pull/alter the ones in 2459? I think your draft and RFC2459 should be consistent with one another, and I think the question of "how do you tell a router cert from a client cert" needs to be addressed. Cheers, -- Mark Shuttleworth Thawte
S/MIME Cryptographic Signature