Re: Adding revised identities to IKEv2

[Stephen Kent <kent@bbn.com>]

At 5:02 PM -0500 11/12/02, Uri Blumenthal wrote:
>Stephen Kent wrote:
>>
>>  As many of you know, I try to avoid the T-word (trust) in almost all
>>  security technology discussions. I'd like to suggest that it is
>>  inappropriate in this discussion as well.
>
>Fully agree. Trust is about authorization, which is not IPsec's
>domain (IMHO).

well, access control is an intrinsic feature of IPsec, so we may 
disagree on that point. also, I don't believe that trust and 
authorization are really linked as tightly as you suggest. the whole 
notion of "trust management" that has arisen over the last few years 
seems to be largely a function of a view that does not acknowledge 
the existence of authoritative sources of authentication data. in the 
physical world we have many such sources, and in cyberspace we have 
several predominant ones, the DNS being the most common example.

>
><SNIP?
>
>And I want a relaxed identification - something like "as long as
>I can associate a key with the identity, the identity is OK".

are you looking for the SPKI WG mailing list?

I think it died along with the WG :-)

Steve