[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTION: 3.4 Preferred ID for responder
> 3.4 Preferred ID for responder
>
> 3.4.A) In JFK and IKEv2, the initiator can include a payload is an
> indication to the responder as to what identity (and corresponding key
> material) the responder should use to authenticate to the initiator. In
> JFKr and IKEv2, this value is encrypted in message 3; in JFKi, it is sent
> in the clear in message 1, thereby allowing a passive attack on the
> responder's likely identity. Is it important to encrypt this identity?
Identity protection against passive attack is the least we may want (IMO),
and we should encrypt this identity (at a cost for message 3 length), though it
may have no meaning at all to the eavesdropper.
I fear that hosting several ids on a single host/gw and allowing the initiator
to express an identity choice for the responder may be a bit messy. For me, it
can be again politics/diplomacy, so I would like some concrete examples
presented me too.
--
Jean-Jacques Puig