[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Adding revised identities to IKEv2

To: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>, "Michael Thomas" <mat@cisco.com>
Subject: RE: Adding revised identities to IKEv2
From: "Max Pritikin" <pritikin@cisco.com>
Date: Thu, 7 Nov 2002 18:45:55 -0800
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <p05200f2eb9f0865eab17@[165.227.249.18]>
Sender: owner-ipsec@lists.tislabs.com



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Hoffman / VPNC
> Sent: Thursday, November 07, 2002 1:09 PM
> To: Michael Thomas
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Adding revised identities to IKEv2
>
>
> At 12:58 PM -0800 11/7/02, Michael Thomas wrote:
> >Paul Hoffman / VPNC writes:
> >  > At 3:52 PM +0100 11/6/02, Francis Dupont wrote:
> >  > >But it shows we have to understand exactly what could/should
> >  > >be the usage of addresses in key management protocols too
> (see after).
> >  >
> >  > Why? What people have found from many years of VPN deployment is that
> >  > customers generally want one of two things:
> >  > - The ability to say "let any gateway with this identity set up any
> >  > kind of tunnel with me"
> >  > - The ability to say "let the gateway with this identity set up a
> >  > tunnel with these features"
> >  > For preshared secrets, there is no question of the identity. For PKIX
> >  > certificates, the identity problem is so convoluted, almost all
> >  > customers say "any identity is OK as long as the certificate
> >  > correctly chains to this trusted root". The identity is logged, but
> >  > the type of identity is not related to the ability to set up tunnels.
> >
> >Paul,
> >
> >Allow me to rephrase this: authz with pre-shared
> >secrets is easy/possible and with PKIX is
> >hard/impossible?
>
> No, that is a completely incorrect rephrasing of what I said. Most
> VPN vendors have no problem with making IPsec work with certificates
> as outlined above, and most users have no problem with using them in
> that fashion.
>
> >Assuming you're not
> >talking about carrying authz information in the
> >certs themselves, I would think the binding of
> >auth to authz would be pretty much equivalent.
>
> Sorry, I can't parse that last sentence. Could you restate it?

Paul H. isn't proposing any fancy pkix PKI tricks. He's proposing that IKE
handle pkix PKI certificates correctly; instead of the existing poorly
stated ID mechanisms which never had a chance of working with certificates.

	- Max

> --Paul Hoffman, Director
> --VPN Consortium
>

Follow-Ups:
- RE: Adding revised identities to IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- Re: Adding revised identities to IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: RE: UDP-encapsulated IPsec Transport mode
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: RE: Adding revised identities to IKEv2
Index(es):
- Date
- Thread