[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
At 7:00 PM -0500 11/12/02, Uri Blumenthal wrote:
>Stephen Kent wrote:
>> >......how do you identify a key................
>>
>> First, I don't want to identify keys in most cases (I don't see them
>> as principals), and this would be one of them.
>
>Touche (:-).
>
>> If I am responsible for access control for some resources, I want to
>> know who's requesting access, and for that I want a name or at least
>> an organizational affiliation........Use of crypto tokens, one-time
>> keys, etc. all come to mind and all have limitations...........
>
>Sure. What I'm driving at - FQDN may not be applicable for
>identifying the requestor. So a symbolic string with wider
>semantic than FQDN should be allowed as an "identity tag"
>on the key.
I agree that an FQDN is not always the rigth answer, but in the
interest of interoperability and simplicity, I would like to define
what the allowed names forms are, since IKE must be prepared to deal
with them and the SPD interface must deal with them. I was assuming
we would have FQDNs, RFC822 addresses as user names, DNs, and IP
addresses. Anything else you think we should include?
Steve