Re: Phase 1 IDs ("son of IKE")

[Mike Ditto <ford@apollo.incog.com>]

> From: "Angelos D. Keromytis" <angelos@coredump.cis.upenn.edu>
>
>  >But if the identity hint was used as an abstract name, rather than the
>  >exact identity that the responder is expected to use, it could be used
>  >as a kind of generic "scope" or "role" identifier.
> 
> My concern with this is that it's more complicated than the simple case of
> "here's what I'd like you to use", both in terms of semantics, effort that
> has to go in specs, and code.

I don't think it's more complicated.  Instead of saying "the responder
must ignore the hint or use it as the value of the subsequent IDir
payload," you say "the responder may use the hint in an
implementation-defined way to influence its selection of its own
identity."

It would be important that the initiator have two distinct policy
parameters: one to specify what remote identities will be accepted from
the responder (regardless of whether it chooses to use the hint) and
another to specify the hint to be sent.  This is because, as I said, the
initiator's policy language for specifying acceptable remote identities
may not have a simple representation as an ISAKMP identification
payload.

					-=] Mike [=-

---

Follow-Ups:

• Re: Phase 1 IDs ("son of IKE")
• From: "Angelos D. Keromytis" <angelos@cis.upenn.edu>

References:

• Re: Phase 1 IDs ("son of IKE")
• From: "Angelos D. Keromytis" <angelos@coredump.cis.upenn.edu>

---

• Prev by Date: Re: Phase 1 IDs ("son of IKE")
• Next by Date: Re: IKE must have no Heirs
• Prev by thread: Re: Phase 1 IDs ("son of IKE")
• Next by thread: Re: Phase 1 IDs ("son of IKE")
• Index(es):
  • Main
  • Thread