[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication methods in IKEv2



At 10:15 AM +0300 11/12/02, Valery Smyslov wrote:
>I've been thinking that they trust each other because they both trust the
>same CA.
>But that CA may easily issue certificates of both types, RSA and DSS.
>Imagine the situation: security gateway serves as access point for
>two distinct groups of clients. One group of clients supports only RSA,
>while the other - only DSS. All clients have certificates issued by the same
>CA
>(of course, of different types). Gateway supports both RSA and DSS and
>trusts the same CA. Situation probably a bit weird, but not unrealistic.

Exactly right. One of the goals of IKEv2 is to reduce the number of 
options that were only put in for situations that were "a bit weird".

>The question: how gateway would unambiguously determine in every particular
>case
>which of his certificates (RSA or DSS) to use (apart from heuristic
>methods)?

By trying one and, if it fails, trying again with the other.

>By the way, notification AUTHENTICATION-FAILED is missing
>in the document...

That's a problem! In fact, it is mentioned in section 5.8, but fell 
off the list of notifications.

--Paul Hoffman, Director
--VPN Consortium