[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
<short answer>
In your previous mail you wrote:
Francis Dupont wrote:
> Oh sure. If I say the entity name is "Uri Blumenthal" - then there
> has to be a key/cert associated with that name. As it only matters
> for signing the Phase 1 exchange to validate IP address from which
> the traffic is originating, for subsequent Phase 2 things.
>
> => this is a typical example of statements I disagree with: in fact
> signing the Phase 1 exchange doesn't validate IP address.
Why doesn't it? In your opinion,what is missing and how would you
prefer to validate IP address?
> IMHO
> you should agree the level of trust in this "validation" is *not*
> at the level of trust of cryptographic signatures!
Perhaps I should - but I don't. Try to convince me first, then we'll
see.
=> simple: the address is not covered by the signature, in fact, the
address is not inside any messages so it is not cryptographically
protected.
Regards
Francis.Dupont@enst-bretagne.fr