Re: SOI: identity protection and DOS

[Michael Thomas <mat@cisco.com>]

Since certificates are essentially public
information, anybody who puts private information
on one deserves what they get. After all, what if
an unscrupulous site demands that cert and then
publishes its contents to spammers-r-us.com?

	      Mike

Joern Sierwald writes:
 > At 13:42 19.11.2001 -0500, you wrote:
 >  > >>>>> "Michael" == Michael Thomas <mat@cisco.com> writes:
 >  >
 >  >  Michael> ...2) SOI SHOULD provide a means to protect identities. SOI
 >  >  Michael> MUST make protection optional if it reduces the overall
 >  >  Michael> number of messages to establish a SA. A SOI peer MUST NOT
 >  >  Michael> protect identities by default.
 >  >
 >  >  Michael> I expect that the last statement is controversial so let me
 >  >  Michael> explain: IMO, identity protection is overblown. If by simple
 >  >  Michael> traffic analysis I see a static IP address for a server
 >  >  Michael> which I can reverse map, and even a dynamic address which I
 >  >  Michael> can reverse map to a particular POP, a determined attacker
 >  >  Michael> is probably going to have a pretty good idea ...
 >  >
 >  >That may be a valid analysis.  (I'm not going to take a position on
 >  >that here.)
 >  >
 >  >However, it does not justify the text you proposed.  What it would
 >  >justify is:
 >  >
 >  >2) SOI SHOULD provide a means to protect
 >  >    identities. SOI MUST make protection optional
 >  >    if it reduces the overall number of messages
 >  >    to establish a SA. A SOI peer MAY protect
 >  >    identities by default.
 >  >
 >  >That would fit the notion that identity protection is not all that
 >  >useful.
 >  >
 >  >The text you proposed would be appropriate if identity protection is
 >  >actually a bad idea.  For example, if it can only be done at
 >  >significant expense in time (messages, computation) or memory.  Is
 >  >that the case?  You did not say so.
 >  >
 >  >If identity protection does not come at a significant cost, there is
 >  >no technical reason to prohibit it being the default for some
 >  >implementations.
 >  >
 >  >         paul
 > 
 > VPN are mostly used in two ways: (1) Gateway to Gateway encryption,
 > to link LANs, or (2) Laptop/home user to Gateway, to let remote users
 > into the company LAN.
 > 
 > For (2), the laptop may be lost, so a safe authentication method is needed.
 > You can use one-time-password or code-generating tokens, but the
 > natural solution for IKE is an RSA smartcard.
 > 
 > Now, these are usually fit with keys and certificates before the
 > VPN vendor or sales guy can state his opinion. As a result, the
 > DN of the cert can contain all kind of stuff. Like email address.
 > Birthday. Home address. social security number.
 > I know of one country (Finland) where you can get your
 > personal ID card with an RSA chip in it (at the local police station),
 > and yes, you can use that for a VPN.
 > 
 > Having _that_ DN in cleartext over the net is NOT a good idea.
 > 
 > Very much in favour of identity protection,
 > 
 > Jörn Sierwald
 > F-Secure Corp
 >

---

Follow-Ups:

• Re: SOI: identity protection and DOS
• From: Ari Huttunen <Ari.Huttunen@f-secure.com>

References:

• I-D ACTION:draft-ietf-ipsec-son-of-ike-protocol-reqts-00.txt
• From: Internet-Drafts@ietf.org
• SOI: identity protection and DOS
• From: Michael Thomas <mat@cisco.com>
• Re: SOI: identity protection and DOS
• From: Joern Sierwald <joern@f-secure.com>

---

• Prev by Date: RE: ipsec in tunnel mode and dynamic routing
• Next by Date: Re: ipsec in tunnel mode and dynamic routing
• Prev by thread: Re: SOI: identity protection and DOS
• Next by thread: Re: SOI: identity protection and DOS
• Index(es):
  • Main
  • Thread