[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
>>>>> "Mark" == Mark Shuttleworth <marks@thawte.com> writes:
Mark> I'm certainly in agreement with you about overloading. But I think
Mark> that organizations will want to build SIMPLE rules to differentiate
Mark> between routers, gateways and end-users. They should be able to do
Mark> this JUST by looking at the cert, and not by referring to a
Mark> directory or other source (otherwise you add another fragile link
Mark> in the chain).
So, sign these three things with different CAs.
Better yet, attach attribute authority or SPKI certs to the plain
certificate.
Mark> For example, in many of the current implementations I've seen you
Mark> have to explicitly manually trust the certificates of each of the
Mark> devices you want to talk to. This is a configuration nightmare in
Mark> larger-scale deployments. Each device needs to be manually told
That is why you want AA or SPKI certificates.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
Follow-Ups:
References: