[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Design] Re: Wes Hardaker: opportunistic encryption deploymen t problems
At 6:11 PM +0100 8/15/01, Chris Trobridge wrote:
>I think the problem is not specifically "global PKI" but "global trust
>infrastructure".
I think "trust" is largely an irrelevant term here. If one wants to
identify hosts by DNS name, there is an established, strict hierarchy
that we all rely on. It's authoritative. It's not a matter of trust.
>It would be useful if IKE could use different trust models, including
>delegation this to another protocol.
IKE defines very little about what one does with its varied set of
potential PKI technologies, so I don't think this is a relevant
criticism.
>However, I think in most cases, binding up your key to an IP address
>probably isn't that useful, due to ephemeral nature of IP addresses - my
>impression is that this just gets worse with IPv6.\
IP addresses are not the only choice of identifier that IKE (or
IPsec) deals with, as I noted in another message. Also, IPv6 is
hardly the primary focus of most folks today. So, for those folkks
who argue the need to be responsive to current and near term customer
needs, IPv4 should be the major focus for now.
>
>The important thing is that you can authenticate who your peer is - there's
>no reason why this has to be bound up in an IP address - and that your
>policy allows to communicate with them.
>
We agree; IPsec and IKE already allow that. But, it's not always
enough to discuss authorization merely at the granularity of IP
addresses, which is why we have other selectors in the SPD.
Steve
References: