[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Adding revised identities to IKEv2



At 9:48 AM -0500 11/8/02, Stephen Kent wrote:
>What you have identified here is a mess due to a lack of 
>sufficiently precise discussion in previous documents about what to 
>do with the info.

Yup. In fact, there was a lack of almost any discussion.

>  That does not mean that we cannot provide this level of detail now, 
>so that people can make use of certs in a predictable, reasonable 
>fashion.

Exactly right.

>  This is what IKE v2 and a cert profile should do, in combination.

Given the importance of certificates to IKEv2, the profile should be 
a part of the IKEv2 document.

>  I think we do a disservice to clients if we just through up our 
>hands and say it's too hard.

If you are talking about IKEv2, I fully agree. If you are talking 
about IKEv1, I would disagree because many vendors have in good faith 
tried to interpret what little we have given them and come up with 
radically different answers. It would be wrong for us to, at this 
late date, say that some implementations are non-conformant.

>  As a nominal co-author for IKEv2, I will try to focus on that part 
>of the doc, which I have not done previously, and work to coordinate 
>it with the PKI profile, to make sure we remove the ambiguities. OK?

Absolutely! Obviously, I would like to help. After Brian and Eric's 
draft gets a bit of discussion on the list (ahem), I think we would 
be in a good place to set down a small number of MUSTs that everyone 
can understand.

--Paul Hoffman, Director
--VPN Consortium