[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

new draft: draft-ietf-ipsec-pki-profile-00.txt

To: ipsec@lists.tislabs.com
Subject: new draft: draft-ietf-ipsec-pki-profile-00.txt
From: Brian Korver <briank@briank.com>
Date: Mon, 24 Jun 2002 19:59:57 -0700
Sender: owner-ipsec@lists.tislabs.com

Folks,

We interrupt your previously scheduled programming to introduce
the somewhat sticky topic of how to use PKI with ISAKMP/IKE. 

Those who you have had the pleasure of reading the IKE documents
have no doubt noticed that they're a little vague on a number
of PKI-related topics, including:

(1) What sorts of identifiers should appear in certificates.
(2) What the various payloads mean.
(3) How to interpret the mess of certificates that you get
    from the peer.

This doesn't promote interoperability. Some of these questions can be
answered by careful exegesis of the relevant documents, but it's not
at all straightforward and experience shows that different
implementors often come up with different "obvious" answers. Thus, we
think it would be worthwhile to have a consensus on how things
work. This draft is an attempt to nudge us towards that
consensus. This is a first draft and is intended to spark discussion
(rather than striving for accuracy or completeness).

This draft covers some of the same territory as the expired
draft-ietf-ipsec-pki-req-04.txt but is rather more complete and
detailed and benefits from another year or two of implementation
experience.

While the primary target of this draft is IKE, it's also applicable to
IKEv2 and to some extent to JFK, since the same sorts of issues
arise whenever you use certs and IPsec together.

-brian
briank@briank.com

Prev by Date: RE: SOI QUESTIONS: 2.6 Formal proofs of security
Next by Date: SOI QUESTION: 3.4 Preferred ID for responder
Prev by thread: ID update: draft-touch-ipsec-vpn-04.txt
Next by thread: SOI QUESTION: 3.4 Preferred ID for responder
Index(es):
- Date
- Thread