[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Uri Blumenthal <uri@lucent.com>
Subject: Re: Adding revised identities to IKEv2
From: Michael Thomas <mat@cisco.com>
Date: Wed, 13 Nov 2002 12:34:53 -0800 (PST)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3DD17A5E.E2C8B38A@lucent.com>
References: <200211061452.gA6EqIte071906@givry.rennes.enst-bretagne.fr><p05100313b9f702dfa49d@[128.89.88.34]><3DD17A5E.E2C8B38A@lucent.com>
Sender: owner-ipsec@lists.tislabs.com

Uri Blumenthal writes:
 > Stephen Kent wrote:
 > > 
 > > As many of you know, I try to avoid the T-word (trust) in almost all
 > > security technology discussions. I'd like to suggest that it is
 > > inappropriate in this discussion as well. 
 > 
 > Fully agree. Trust is about authorization, which is not IPsec's
 > domain (IMHO).

This statement really bothers me. Authorization is
clearly a part of IPsec. Just because I'm
authenticated should not a priori get
authorization for any filtering I desire on the
remote end. That seems like the heart of the IPsec
qua access control mechanism. We need a clean
separation both in IPsec and keying of those two
concepts.

That said, I'm pretty sympathetic to banishing the
T-word from the lexicon too.

	    Mike

References:
- Re: Adding revised identities to IKEv2
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: Adding revised identities to IKEv2
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread