[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Aggressive/Base Mode Signature Queries

To: Radia Perlman - Boston Center for Networking <Radia.Perlman@East.Sun.COM>
Subject: RE: Aggressive/Base Mode Signature Queries
From: Stephen Kent <kent@bbn.com>
Date: Mon, 8 Jan 2001 19:42:55 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200101081609.LAA27669@bcn.East.Sun.COM>
References: <200101081609.LAA27669@bcn.East.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

Radia,

In thinking about your suggestions for heuristics at the end of the 
message, I just wanted to make an observation:

In many (most?) contexts where IPsec is being used, I think trust 
models (jn the more general sense) will not apply. Companies begin by 
issuing certs to their employees and to IPsec devices at the 
company's remote sites to enable remote access and to create 
intranets.

Then, a company may cross certify other companies to enable an 
extranet.  The company should use the name constraints extension in 
such cross certs, to ensure that the companies who are cross 
certified cannot issue certs outside their own names spaces (and have 
them accepted by the cross certifying company). If one follows that 
sort of model, trust does not enter into the PKI model in the sense 
that it might if individuals were engaging in this activity among 
themselves.

Steve

References:

RE: Aggressive/Base Mode Signature Queries

From: Radia Perlman - Boston Center for Networking <Radia.Perlman@East.Sun.COM>

Prev by Date: RE: Aggressive/Base Mode Signature Queries
Next by Date: I-D ACTION:draft-irtf-smug-gdoi-01.txt
Prev by thread: RE: Aggressive/Base Mode Signature Queries
Next by thread: RE: Aggressive/Base Mode Signature Queries
Index(es):
- Main
- Thread