RE: Adding revised identities to IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 6:45 PM -0800 11/7/02, Max Pritikin wrote:
>Paul H. isn't proposing any fancy pkix PKI tricks. He's proposing that IKE
>handle pkix PKI certificates correctly; instead of the existing poorly
>stated ID mechanisms which never had a chance of working with certificates.

Exactly. For the majority of users, there is a single authorization 
policy: "everyone I trust is allowed to match any traffic policy". As 
Jan said, in IKEv1 with presahred keys, there is no separate ID: it 
is the IP address.

With certificates, it's a mess. Is the ID the whole Subject? Any part 
of the Subject? The whole SubjectAltName? Any part of the 
SubjectAltName? The combination of the whole Subject *and* the whole 
SubjectAltName? But the real question is, who cares? If the gateway 
admin wants to trust anyone who has a certificate from the trusted 
root, the ID is pretty much just there for logging. And if they do 
want to differentiate by ID, they are probably smart enough to fill 
in the right fields in the GUI for the ID type they care about. 
(Well, I just lied there: very few IPsec GUIs allow you to 
differentiate at the level needed.)

--Paul Hoffman, Director
--VPN Consortium