Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt

[Stephen Kent <kent@bbn.com>]

Mark,

>
>> Why do I care about tunnel use?   Gateways must use tunnels, but end
>> systems may use tunnels as well.
>
>I had thought that many companies might consider tunnels more risky and
>want to be able to differentiate clearly between devices that can offer
>tunneling and those that cannot. This is difficult to do based purely on
>subjectAltName.

Well, it depends.  An ESP transport connection hides porty and protocol
info, just not address info.  Many of the folks who express concern about
IPsec traffic traversing a firewall are bothered because of that level of
concealment, so I think we have alreday cross the threshold, without
invoking tunnel mode.

Also, I ahve to agree with another list member who observed that if we want
to mark certs to simplify access control decisions, we are moving into the
realm where ACs are the most appropriate choice. This is consistent with my
earlier observation about not overloading a cert, or a field in a cert.  I
should have been more precise and said that I was thinking of a public key
cert.

Steve

---

References:

• Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• From: Stephen Kent <kent@bbn.com>
• Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• From: Stephen Kent <kent@po1.bbn.com>
• Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• From: Mark Shuttleworth <marks@thawte.com>

---

• Prev by Date: Re: Retransmits in traffic count?
• Next by Date: Re: phase 1 lifetime by traffic (was RE: Retransmits in traffic count? )
• Prev by thread: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• Next by thread: Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt
• Index(es):
  • Main
  • Thread