[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Aggressive/Base Mode Signature Queries
Radia,
In thinking about your suggestions for heuristics at the end of the
message, I just wanted to make an observation:
In many (most?) contexts where IPsec is being used, I think trust
models (jn the more general sense) will not apply. Companies begin by
issuing certs to their employees and to IPsec devices at the
company's remote sites to enable remote access and to create
intranets.
Then, a company may cross certify other companies to enable an
extranet. The company should use the name constraints extension in
such cross certs, to ensure that the companies who are cross
certified cannot issue certs outside their own names spaces (and have
them accepted by the cross certifying company). If one follows that
sort of model, trust does not enter into the PKI model in the sense
that it might if individuals were engaging in this activity among
themselves.
Steve
References: