Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt

[Stephen Kent <kent@po1.bbn.com>]

Mark & Rodney,

Certs are inputs to access control decisions, but one must be careful to
not overload a cert.  It is not a place to put eveything one might wish to
express in terms of A/C policy.

Extended key usage flags should represent simple differentiators for key
usage, with some security basis. In S/MIME, one can see a good reason to
distinguish keys used for signatures vs. key transport, for example.  The
flag for ipsecTunnel strikes me as an example of overloading. In IPsec we
may need to distinguish between an end system and a security gateway.  But,
I don't know if we need to do this via use of these flags.  I'd like to
hear some cogent arguments.

If we can't define a set of flags that we all agree are appropriate for
IPsec, then 2459, when revised for Proposed, may drop all of them and leave
it to the IPsec WG to define its own.

steve

---

Follow-Ups:

• Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• From: Mark Shuttleworth <marks@thawte.com>

References:

• PKIX vs draft-ietf-ipsec-pki-req-02.txt
• From: Mark Shuttleworth <marks@thawte.com>
• Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• From: Rodney Thayer <rodney@ssh.fi>
• Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• From: Mark Shuttleworth <marks@thawte.com>

---

• Prev by Date: the next rev of XAUTH
• Next by Date: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• Prev by thread: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• Next by thread: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• Index(es):
  • Main
  • Thread