[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
At 11/12/02 07:11 PM, you wrote:
>At 7:00 PM -0500 11/12/02, Uri Blumenthal wrote:
>>Stephen Kent wrote:
>>> >......how do you identify a key................
>>>
>>> First, I don't want to identify keys in most cases (I don't see them
>>> as principals), and this would be one of them.
>>
>>Touche (:-).
>>
>>> If I am responsible for access control for some resources, I want to
>>> know who's requesting access, and for that I want a name or at least
>>> an organizational affiliation........Use of crypto tokens, one-time
>>> keys, etc. all come to mind and all have limitations...........
>>
>>Sure. What I'm driving at - FQDN may not be applicable for
>>identifying the requestor. So a symbolic string with wider
>>semantic than FQDN should be allowed as an "identity tag"
>>on the key.
>
>I agree that an FQDN is not always the rigth answer, but in the interest
>of interoperability and simplicity, I would like to define what the
>allowed names forms are, since IKE must be prepared to deal with them and
>the SPD interface must deal with them. I was assuming we would have
>FQDNs, RFC822 addresses as user names, DNs, and IP addresses. Anything
>else you think we should include?
I would suggest that we use Network Access Identifiers as per RFC 2486
>Steve
==========================
Stuart Jacobs CISSP
PMTS - Sr. Technologist
Verizon Laboratories
40 Sylvan Road Waltham, MA 02451-1128 USA
telephone: (781) 466-3076 fax: (781) 466-2838
stu.jacobs@labs.gte.com sjj0@labs.gte.com stu.jacobs@verizon.com
==========================