[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Adding revised identities to IKEv2

To: "Max Pritikin" <pritikin@cisco.com>
Subject: RE: Adding revised identities to IKEv2
From: Tero Kivinen <kivinen@ssh.fi>
Date: Fri, 15 Nov 2002 12:12:19 +0200
Cc: "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>, <ipsec@lists.tislabs.com>
In-Reply-To: <PKEBJBKKGOBHIJBBAGLEMELPEPAA.pritikin@cisco.com>
Organization: SSH Communications Security Oy
References: <15826.51228.546106.342625@ryijy.hel.fi.ssh.com><PKEBJBKKGOBHIJBBAGLEMELPEPAA.pritikin@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Max Pritikin writes:
> Your previous statement,
> >>> The other end doesn't really need a certificate it needs a public key
> and it needs it to be trusted somehow.
>               ^^^^^^^
> is the difference. The particular certificate matters because the 'somehow'
> is to use the binding and identifying information in the certificate to
> determine the appropriate policy.

Certificate is not the only way the public key can be trusted. For
example you could preconfigure the public key to the system (i.e the
sgw have database of all public keys and what they are authorized to
do with those keys). Or it might be internally use pgp-keys, dns
record or ...
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- RE: Adding revised identities to IKEv2
  - From: Russ Housley <housley@vigilsec.com>

References:
- Re: Adding revised identities to IKEv2
  - From: Tero Kivinen <kivinen@ssh.fi>
- RE: Adding revised identities to IKEv2
  - From: "Max Pritikin" <pritikin@cisco.com>

Prev by Date: padding in ESP
Next by Date: Re: draft-ietf-ipsec-pki-profile-01.txt
Prev by thread: RE: Adding revised identities to IKEv2
Next by thread: RE: Adding revised identities to IKEv2
Index(es):
- Date
- Thread