[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Uri Blumenthal <uri@lucent.com>
Subject: Re: Adding revised identities to IKEv2
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Fri, 15 Nov 2002 17:26:33 +0100
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of Fri, 15 Nov 2002 09:53:15 EST. <3DD50A5B.25A2F5FF@lucent.com>
Sender: owner-ipsec@lists.tislabs.com

<short answer>

 In your previous mail you wrote:

   Francis Dupont wrote:
   >    Oh sure. If I say the entity name is "Uri Blumenthal" - then there
   >    has to be a key/cert associated with that name. As it only matters
   >    for signing the Phase 1 exchange to validate IP address from which
   >    the traffic is originating, for subsequent Phase 2 things.
   > 
   > => this is a typical example of statements I disagree with: in fact
   > signing the Phase 1 exchange doesn't validate IP address.

   Why doesn't it? In your opinion,what is missing and how would you
   prefer to validate IP address?

   > IMHO
   > you should agree the level of trust in this "validation" is *not*
   > at the level of trust of cryptographic signatures!

   Perhaps I should - but I don't. Try to convince me first, then we'll
   see.

=> simple: the address is not covered by the signature, in fact, the
address is not inside any messages so it is not cryptographically
protected.

Regards

Francis.Dupont@enst-bretagne.fr

References:
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: draft-ietf-ipsec-pki-profile-01.txt
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread