[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
In your previous mail you wrote:
Oh sure. If I say the entity name is "Uri Blumenthal" - then there
has to be a key/cert associated with that name. As it only matters
for signing the Phase 1 exchange to validate IP address from which
the traffic is originating, for subsequent Phase 2 things.
=> this is a typical example of statements I disagree with: in fact
signing the Phase 1 exchange doesn't validate IP address. IMHO
you should agree the level of trust in this "validation" is *not*
at the level of trust of cryptographic signatures!
Regards
Francis.Dupont@enst-bretagne.fr
PS: this is not directed against you (or someone else), I just need
some good start points for an IPsec/addresses discussion.