Re: Adding revised identities to IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 10:46 AM +0100 11/8/02, Francis Dupont wrote:
>=> there is no agreement about what checks must be done:
>  - common sense says the identity must be a subject of the certificate
>    (but this is not clearly specified in IKEv1 and perhaps some
>     implementations don't perform this check)

That does not follow. There is no standard way for the Subject to be 
an email address (the way folks do it now is a non-standard hack), 
there is no standard way for the Subject to be an IP address. I'm not 
sure, but I think the DC method of doing domain names in the Subject 
is also a non-standard hack.

>=> I agree this kind of bootstrap problems comes from silly configurations
>but the IPv6 neighbor discovery issue showed these silly configurations
>happen in the real world so they should be handled. In this case
>the "unresolvable URLs" case should be extended to the inaccessible
>because of IPsec cross-dependence case.

The error definition I proposed was:
	Could not get the certificate through the URL that was given in the
	FullID type 3 payload. This could be due to connectivity problems,
	an error from the HTTP server, a malformed URL, or a host of other
	reasons.
That last phrase should cover almost anything.

--Paul Hoffman, Director
--VPN Consortium