[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Fixing identity and cert-sending
At 4:56 PM -0500 4/4/02, Andrew Krywaniuk wrote:
>Since it appears that no one else is going to speak up, I will say that I
>like this idea,
Thanks
> although you did leave out the fact that the old identity
>types need to be preserved in order to act as "policy matching hints", as we
>discussed earlier.
Er, we didn't discuss it in those terms. What I said was that it is
completely up to the receiving system to determine the policy
matching from the ID that it gets. In the case of a cert, the
receiving system picks the ID-for-policy it wants from the identity
or identities in the cert. For a shared secret, the receiving system
needs some other way to decide how to map the identity to the policy.
We could add a "preferred identity" payload for message 3 and 4, but
it would be completely voluntary would need to be very clearly worded.
> > For ID types 3 and 4: the URL scheme must be http
>
>Does this support directories?
Yes, definitely. See draft-ietf-pkix-certstore-http-02.txt, which is
making its way through the PKIX WG.
--Paul Hoffman, Director
--VPN Consortium