[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>
Subject: Re: Adding revised identities to IKEv2
From: Brian Korver <briank@briank.com>
Date: Thu, 7 Nov 2002 11:59:25 -0800 (PST)
CC: ipsec@lists.tislabs.com
In-Reply-To: <p05200f23b9f066010f60@[165.227.249.18]> "from Paul Hoffman / VPNCat Nov 7, 2002 11:01:20 am"
Sender: owner-ipsec@lists.tislabs.com

Paul Hoffman / VPNC writes:
> Why? What people have found from many years of VPN deployment is that 
> customers generally want one of two things:
> - The ability to say "let any gateway with this identity set up any 
> kind of tunnel with me"
> - The ability to say "let the gateway with this identity set up a 
> tunnel with these features"
> For preshared secrets, there is no question of the identity. For PKIX 
> certificates, the identity problem is so convoluted, almost all 
> customers say "any identity is OK as long as the certificate 
> correctly chains to this trusted root". The identity is logged, but 
> the type of identity is not related to the ability to set up tunnels.

While we're on this topic, I'll interject that a reorganized but
largely the same draft-ietf-ipsec-pki-profile-01.txt is just out
and attempts to address these issues.


> It would be silly to put your cert *behind* your gateway. But the 
> gateway itself might have a trivial HTTP server to allow access to 
> certs; in fact, this is what many people expect to happen.
> 
> --Paul Hoffman, Director
> --VPN Consortium
> 

-brian
briank@briank.com

References:
- Re: Adding revised identities to IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: I-D ACTION:draft-ietf-ipsec-nat-t-ike-04.txt
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread