[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Fixing identity and cert-sending

To: andrew.krywaniuk@alcatel.com, ipsec@lists.tislabs.com
Subject: RE: Fixing identity and cert-sending
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Thu, 4 Apr 2002 15:38:04 -0800
In-Reply-To: <000701c1dc23$95ced210$1e72788a@ca.alcatel.com>
References: <000701c1dc23$95ced210$1e72788a@ca.alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

At 4:56 PM -0500 4/4/02, Andrew Krywaniuk wrote:
>Since it appears that no one else is going to speak up, I will say that I
>like this idea,

Thanks

>  although you did leave out the fact that the old identity
>types need to be preserved in order to act as "policy matching hints", as we
>discussed earlier.

Er, we didn't discuss it in those terms. What I said was that it is 
completely up to the receiving system to determine the policy 
matching from the ID that it gets. In the case of a cert, the 
receiving system picks the ID-for-policy it wants from the identity 
or identities in the cert. For a shared secret, the receiving system 
needs some other way to decide how to map the identity to the policy.

We could add a "preferred identity" payload for message 3 and 4, but 
it would be completely voluntary would need to be very clearly worded.

>  > For ID types 3 and 4: the URL scheme must be http
>
>Does this support directories?

Yes, definitely. See draft-ietf-pkix-certstore-http-02.txt, which is 
making its way through the PKIX WG.

--Paul Hoffman, Director
--VPN Consortium

References:
- RE: Fixing identity and cert-sending
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Re: Do we actually need dynamic ports?
Next by Date: Re: Do we actually need dynamic ports?
Prev by thread: RE: Fixing identity and cert-sending
Next by thread: I-D ACTION:draft-ietf-ipsec-sonofike-rqts-00.txt
Index(es):
- Date
- Thread