[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP keys in IKE

To: Josef Pojsl <josef.pojsl@skynet.cz>
Subject: Re: PGP keys in IKE
From: Will Price <wprice@cyphers.net>
Date: Tue, 14 Dec 1999 10:44:53 -0800
CC: ipsec@lists.tislabs.com
References: <19991214084219.D12657@regent.in.skynet.cz>
Reply-To: wprice@cyphers.net
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've been meaning to document what we did in a draft, but haven't
gotten around to it.  It really is pretty simple, and as Michael
Richardson noted the ISAKMP draft does in fact cover the IDs used for
PGP in IKE.

Beyond that, the only things left to document for this are
essentially:

* PGP keys are included in the CERT payload with the appropriate ID
from ISAKMP, and the format of those keys is the standard OpenPGP
binary key format from RFC 2440.  In other words, don't ASCII-armor
the key.

* Certificate chains are less relevant because all relevant
signatures are included on the OpenPGP key.  Depending on policy, you
could include a specific chain of trusted introducers based on the
primary meta-introducer as the root for a cert chain.

* It is recommended that a Certificate Request payload be sent with
the PGP identifier so as to make sure there is no confusion over
certificate types.  With the imminent advent of DNS keys in IKE and
some people using X.509 now, I think this is going to be important
for all implementations.

* PGPnet is a VPN client, therefore we don't want to make it
necessary that a particular user have a fixed IP address.  If one
were to make a gateway product that supported PGP keys, one would
want to use a PGP key that includes the IP address of the device.  To
do that, or to include the DNS name in a PGP key, use an attribute
user ID (a la photo IDs) defined for that purpose.

* The Phase 1 ID must be (regardless of whether you are using PGP or
X.509 or ...) based from the certificate.  In the case of PGP, it
must be the primary user ID.

Josef Pojsl wrote:
> 
> Hello,
> 
> please forgive me if my question has been asked here (but I have
> been listening for a couple of weeks now and it has not):
> 
> NAI included in their IKE implementation (PGPnet) the ability
> to authenticate through PGP keys as an alternative to X.509
> ceritificates. AFAIK, the RFCs do not mention PGP keys and specify
> only X.509 authentication. Is there any effort to give out
> a standard for PGP authentication in IKE?
> 
> Thanks in advance for any comments.
> 
> Josef
> 
> --
> Josef Pojsl                           mailto:josef.pojsl@skynet.cz
> SkyNet, a.s.                                  NAI Security Partner
> PGP fingerprint: 23CB DE28 51A9 53F1 0C1F 67EF B3ED 8435 9D1B C7C8

- -- 

Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOFaPXqy7FkvPc+xMEQJjEQCg42U1/v30tISySr+pLVOIqDfm9BcAn3QL
WQ0oj5bLmzXyDp40blA2sINm
=srMy
-----END PGP SIGNATURE-----

Follow-Ups:

Re: PGP keys in IKE

From: Tero Kivinen <kivinen@ssh.fi>

References:

PGP keys in IKE

From: "Josef Pojsl" <josef.pojsl@skynet.cz>

Prev by Date: Re: PGP keys in IKE
Next by Date: Re: A problem with public key encrption in IKE
Prev by thread: Re: PGP keys in IKE
Next by thread: Re: PGP keys in IKE
Index(es):
- Main
- Thread