[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: ipsec@lists.tislabs.com
Subject: Re: Adding revised identities to IKEv2
From: Stuart Jacobs <stu.jacobs@labs.gte.com>
Date: Wed, 13 Nov 2002 08:44:56 -0500
In-Reply-To: <p0510031ab9f748bf0f79@[128.89.88.34]>
References: <3DD1963A.4D09021E@lucent.com><200211061452.gA6EqIte071906@givry.rennes.enst-bretagne.fr><p05100313b9f702dfa49d@[128.89.88.34]><3DD17A5E.E2C8B38A@lucent.com><p05100317b9f72ff63ca1@[128.89.88.34]><3DD183E6.6B899050@lucent.com><p05100319b9f735e7a1f2@[128.89.88.34]><3DD1963A.4D09021E@lucent.com>
Sender: owner-ipsec@lists.tislabs.com

At 11/12/02 07:11 PM, you wrote:
>At 7:00 PM -0500 11/12/02, Uri Blumenthal wrote:
>>Stephen Kent wrote:
>>>  >......how do you identify a key................
>>>
>>>  First, I don't want to identify keys in most cases (I don't see them
>>>  as principals), and this would be one of them.
>>
>>Touche (:-).
>>
>>>  If I am responsible for access control for some resources, I want to
>>>  know who's requesting access, and for that I want a name or at least
>>>  an organizational affiliation........Use of crypto tokens, one-time
>>>  keys, etc. all come to mind and all have limitations...........
>>
>>Sure. What I'm driving at - FQDN may not be applicable for
>>identifying the requestor. So a symbolic string with wider
>>semantic than FQDN should be allowed as an "identity tag"
>>on the key.
>
>I agree that an FQDN is not always the rigth answer, but in the interest 
>of interoperability and simplicity, I would like to define what the 
>allowed names forms are, since IKE must be prepared to deal with them and 
>the SPD interface must deal with them.  I was assuming we would have 
>FQDNs, RFC822 addresses as user names, DNs, and IP addresses.  Anything 
>else you think we should include?

I would suggest that we use Network Access Identifiers as per RFC 2486

>Steve

==========================
Stuart Jacobs CISSP
PMTS - Sr. Technologist
Verizon Laboratories
40 Sylvan Road Waltham, MA 02451-1128     USA
telephone: (781) 466-3076   fax: (781) 466-2838
stu.jacobs@labs.gte.com sjj0@labs.gte.com  stu.jacobs@verizon.com
==========================

Follow-Ups:
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>
- Re: Adding revised identities to IKEv2
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Fwd: Re: Adding revised identities to IKEv2
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread