[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
Paul Hoffman / VPNC writes:
> At 3:52 PM +0100 11/6/02, Francis Dupont wrote:
> >But it shows we have to understand exactly what could/should
> >be the usage of addresses in key management protocols too (see after).
>
> Why? What people have found from many years of VPN deployment is that
> customers generally want one of two things:
> - The ability to say "let any gateway with this identity set up any
> kind of tunnel with me"
> - The ability to say "let the gateway with this identity set up a
> tunnel with these features"
> For preshared secrets, there is no question of the identity. For PKIX
> certificates, the identity problem is so convoluted, almost all
> customers say "any identity is OK as long as the certificate
> correctly chains to this trusted root". The identity is logged, but
> the type of identity is not related to the ability to set up tunnels.
Paul,
Allow me to rephrase this: authz with pre-shared
secrets is easy/possible and with PKIX is
hard/impossible? If so, why? Assuming you're not
talking about carrying authz information in the
certs themselves, I would think the binding of
auth to authz would be pretty much equivalent.
Mike