[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
At 12:58 PM -0800 11/7/02, Michael Thomas wrote:
>Paul Hoffman / VPNC writes:
> > At 3:52 PM +0100 11/6/02, Francis Dupont wrote:
> > >But it shows we have to understand exactly what could/should
> > >be the usage of addresses in key management protocols too (see after).
> >
> > Why? What people have found from many years of VPN deployment is that
> > customers generally want one of two things:
> > - The ability to say "let any gateway with this identity set up any
> > kind of tunnel with me"
> > - The ability to say "let the gateway with this identity set up a
> > tunnel with these features"
> > For preshared secrets, there is no question of the identity. For PKIX
> > certificates, the identity problem is so convoluted, almost all
> > customers say "any identity is OK as long as the certificate
> > correctly chains to this trusted root". The identity is logged, but
> > the type of identity is not related to the ability to set up tunnels.
>
>Paul,
>
>Allow me to rephrase this: authz with pre-shared
>secrets is easy/possible and with PKIX is
>hard/impossible?
No, that is a completely incorrect rephrasing of what I said. Most
VPN vendors have no problem with making IPsec work with certificates
as outlined above, and most users have no problem with using them in
that fashion.
>Assuming you're not
>talking about carrying authz information in the
>certs themselves, I would think the binding of
>auth to authz would be pretty much equivalent.
Sorry, I can't parse that last sentence. Could you restate it?
--Paul Hoffman, Director
--VPN Consortium