[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Aggressive/Base Mode Signature Queries

To: <ipsec@lists.tislabs.com>
Subject: Re: Aggressive/Base Mode Signature Queries
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Mon, 8 Jan 2001 12:18:44 -0500
Importance: Normal
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> Suppose you share CAs C1 and C2 with some peer B. C1 issues you a
> certificate Cert(A1,C1) under the name A1, and C2 issues you
> a certificate
> Cert(A2,C2) under the name A2, with A1 != A2. Similar B gets
> certificates
> Cert(B1,C1) issued by C1 and Cert(B2,C2) issued by C2.


Let us file any example with multiple root CAs into the realm of complex
topology. I think it is silly to discuss rules for SA negotiation within
such a network without asking why the complex topology is necessary.

Scenario 1:

Alice and Bob belong to corporations Ajax and BazCorp which have a limited
partnership. C1 belongs to Ajax and C2 belongs to BazCorp. Alice's policy is
expressed relative to C1 but she is also certified with C2. Bob's policy is
expressed relative to C2 but he is also certified with C1. (This is perhaps
not the best way to cross-certify two corporations, but it is a solution.)

Scenario 2:

Alice is a client and Bob is a server (or a sgw in front of a server). Alice
uses different certificates for different applications. She uses certificate
1 to get her e-mail, but certificate 2 to connect to the bug database. For
whatever reason, these two applications are not under the domain of
administrative control.


Assuming that you actually intend to use the identities in the certificates
for authorization, then these two scenarios are very different. (And if
you're not then  might I ask why you have 2 CAs in the first place.) You
can't be satisfied simply with agreeing on one of the two CAs, you also have
to choose the correct one.

In fact, in scenario 1 you don't want Alice and Bob to use the same CA.
Alice should use the id from C2 and Bob should use the id from C1.

In scenario 2, it's not good enough to agree on one of the two CAs; you have
to choose the correct one for the task.

This all goes to prove a point I've tried to make before, which is that you
can't negotiate policy, you can only enforce it.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black and white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.

Prev by Date: RE: Aggressive/Base Mode Signature Queries
Next by Date: Document Action: IPsec Interactions with ECN to Informational
Prev by thread: RE: Aggressive/Base Mode Signature Queries
Next by thread: Re: IPv6 Neighbour Solicitation messages and IPsec
Index(es):
- Main
- Thread