[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
From: Mark Shuttleworth <marks@thawte.com>
Date: Thu, 05 Aug 1999 20:21:24 +0200
CC: ipsec@lists.tislabs.com
Organization: Thawte Consulting
References: <199908051434.KAA19538@pzero.sandelman.ottawa.on.ca>
Reply-To: marks@thawte.com
Sender: owner-ipsec@lists.tislabs.com

Hiya

>   So, sign these three things with different CAs.

We do. But I know at least one implementation from a major vendor that
assumes the same CA across users, routers and firewalls. Strange but
true.

>   Better yet, attach attribute authority or SPKI certs to the plain
> certificate.

Whoa. Who's implemented attribute authority? And who's implemented SPKI?
I've no problem with alternatives like these, but I think EVERYONE does
ExtendedKeyUsage (or can do trivially) and subjectAltName, so the
solution should lie there.

Do the majority of implementations out there today match the dNSName or
iPAddress in a cert's subjectAltName against the ipaddress they are
exchanging packets with?
 
--
Mark Shuttleworth
Thawte

S/MIME Cryptographic Signature

References:

Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: RE: Retransmits in traffic count?
Next by Date: RE: Retransmits in traffic count?
Prev by thread: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
Next by thread: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
Index(es):
- Main
- Thread