Re: Adding revised identities to IKEv2

[Michael Thomas <mat@cisco.com>]

Paul Hoffman / VPNC writes:
 > At 3:52 PM +0100 11/6/02, Francis Dupont wrote:
 > >But it shows we have to understand exactly what could/should
 > >be the usage of addresses in key management protocols too (see after).
 > 
 > Why? What people have found from many years of VPN deployment is that 
 > customers generally want one of two things:
 > - The ability to say "let any gateway with this identity set up any 
 > kind of tunnel with me"
 > - The ability to say "let the gateway with this identity set up a 
 > tunnel with these features"
 > For preshared secrets, there is no question of the identity. For PKIX 
 > certificates, the identity problem is so convoluted, almost all 
 > customers say "any identity is OK as long as the certificate 
 > correctly chains to this trusted root". The identity is logged, but 
 > the type of identity is not related to the ability to set up tunnels.

Paul,

Allow me to rephrase this: authz with pre-shared
secrets is easy/possible and with PKIX is
hard/impossible? If so, why? Assuming you're not
talking about carrying authz information in the
certs themselves, I would think the binding of
auth to authz would be pretty much equivalent.


       Mike