RE: Adding revised identities to IKEv2

[Jan Vilhuber <vilhuber@cisco.com>]

On Thu, 7 Nov 2002, Paul Hoffman / VPNC wrote:

> At 6:45 PM -0800 11/7/02, Max Pritikin wrote:
> >Paul H. isn't proposing any fancy pkix PKI tricks. He's proposing that IKE
> >handle pkix PKI certificates correctly; instead of the existing poorly
> >stated ID mechanisms which never had a chance of working with certificates.
>
> Exactly. For the majority of users, there is a single authorization
> policy: "everyone I trust is allowed to match any traffic policy". As
> Jan said, in IKEv1 with presahred keys, there is no separate ID: it
> is the IP address.
>

Correction: In IKE with MAIN MODE with pre-shared keys. Aggressive
mode opens up more options.

jan


> With certificates, it's a mess. Is the ID the whole Subject? Any part
> of the Subject? The whole SubjectAltName? Any part of the
> SubjectAltName? The combination of the whole Subject *and* the whole
> SubjectAltName? But the real question is, who cares? If the gateway
> admin wants to trust anyone who has a certificate from the trusted
> root, the ID is pretty much just there for logging. And if they do
> want to differentiate by ID, they are probably smart enough to fill
> in the right fields in the GUI for the ID type they care about.
> (Well, I just lied there: very few IPsec GUIs allow you to
> differentiate at the level needed.)
>
> --Paul Hoffman, Director
> --VPN Consortium
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

THE NETWORK WORKS,
NO EXCUS NFS server mastiff-fddi not responding still trying