Re: Adding revised identities to IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 12:58 PM -0800 11/7/02, Michael Thomas wrote:
>Paul Hoffman / VPNC writes:
>  > At 3:52 PM +0100 11/6/02, Francis Dupont wrote:
>  > >But it shows we have to understand exactly what could/should
>  > >be the usage of addresses in key management protocols too (see after).
>  >
>  > Why? What people have found from many years of VPN deployment is that
>  > customers generally want one of two things:
>  > - The ability to say "let any gateway with this identity set up any
>  > kind of tunnel with me"
>  > - The ability to say "let the gateway with this identity set up a
>  > tunnel with these features"
>  > For preshared secrets, there is no question of the identity. For PKIX
>  > certificates, the identity problem is so convoluted, almost all
>  > customers say "any identity is OK as long as the certificate
>  > correctly chains to this trusted root". The identity is logged, but
>  > the type of identity is not related to the ability to set up tunnels.
>
>Paul,
>
>Allow me to rephrase this: authz with pre-shared
>secrets is easy/possible and with PKIX is
>hard/impossible?

No, that is a completely incorrect rephrasing of what I said. Most 
VPN vendors have no problem with making IPsec work with certificates 
as outlined above, and most users have no problem with using them in 
that fashion.

>Assuming you're not
>talking about carrying authz information in the
>certs themselves, I would think the binding of
>auth to authz would be pretty much equivalent.

Sorry, I can't parse that last sentence. Could you restate it?

--Paul Hoffman, Director
--VPN Consortium