[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Uri Blumenthal <uri@lucent.com>
Subject: Re: Adding revised identities to IKEv2
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Fri, 15 Nov 2002 14:52:44 +0100
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of Tue, 12 Nov 2002 17:02:06 EST. <3DD17A5E.E2C8B38A@lucent.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   Oh sure. If I say the entity name is "Uri Blumenthal" - then there
   has to be a key/cert associated with that name. As it only matters
   for signing the Phase 1 exchange to validate IP address from which
   the traffic is originating, for subsequent Phase 2 things.
   
=> this is a typical example of statements I disagree with: in fact
signing the Phase 1 exchange doesn't validate IP address. IMHO
you should agree the level of trust in this "validation" is *not*
at the level of trust of cryptographic signatures!

Regards

Francis.Dupont@enst-bretagne.fr

PS: this is not directed against you (or someone else), I just need
some good start points for an IPsec/addresses discussion.

Follow-Ups:
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>
- Re: Adding revised identities to IKEv2
  - From: Michael Thomas <mat@cisco.com>

References:
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: Adding revised identities to IKEv2
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread