[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Son-of-IKE Selection Criteria?

To: "Dilkie, Lee" <Lee_Dilkie@mitel.com>
Subject: Re: Son-of-IKE Selection Criteria?
From: Derek Atkins <warlord@mit.edu>
Date: 07 Dec 2001 17:22:29 -0500
Cc: "Hallam-Baker, Phillip" <pbaker@verisign.com>, "'Walker, Jesse'" <jesse.walker@intel.com>, ipsec@lists.tislabs.com
In-Reply-To: "Dilkie, Lee"'s message of "Fri, 7 Dec 2001 14:41:19 -0500"
References: <29B5A21C13C8D51190F900805F65B4ECF19BB7@rndex50.ottawa.mitel.com>
Sender: owner-ipsec@lists.tislabs.com

"Dilkie, Lee" <Lee_Dilkie@Mitel.COM> writes:

> I see no reason to revoke a certificate just because you re-issued
> due to a name change. There was no comprimise of the original
> private key, so why would you need to go through the expense of
> revoking a certificate?

Because a certificate is a binding of a Public/Private keypair to a
name.  If, as Phill is suggesting, you use the IP Address as the name,
then every time you change IP Address you need to revoke and re-issue
certificates.  Note that this does not mean you need to change/revoke
the Public/Private Keypair in use, you just need to revoke the
binding to the old IP Address.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: Son-of-IKE Selection Criteria?

From: "Dilkie, Lee" <Lee_Dilkie@mitel.com>

Prev by Date: Re: Please save the pre-shared key mode
Next by Date: RE: Please save the pre-shared key mode
Prev by thread: RE: Son-of-IKE Selection Criteria?
Next by thread: Re: Son-of-IKE Selection Criteria?
Index(es):
- Main
- Thread