[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of revised identity changes

To: ipsec@lists.tislabs.com
Subject: Re: Summary of revised identity changes
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Mon, 9 Dec 2002 20:29:21 -0800
In-Reply-To: <200212100150.gBA1obp3012139@sandelman.ottawa.on.ca>
References: <200212100150.gBA1obp3012139@sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com

At 8:50 PM -0500 12/9/02, Michael Richardson wrote:
>     >> a) For certificate authentication, in messages 3 and 4, you no longer
>     >> send both an ID and a certificate. Instead, you send only a
>     >> certificate and the receiver gets your identity from the certificate.
>   Right now, I can make an X.509 implementation and a non-X.509
>implementation (such as might be found in a handheld!) interop by arranging
>for appropriate keys to be in the right places.

And you still can under the proposal. Read what it says: "For 
*certificate* identification". There are other methods listed in the 
proposal.

What isn't in the current proposal is hashes of bare keys, but that's 
easy to add. If we do, you still don't need IDs: the hash of the key 
is the ID. Does the WG want bare public keys as part of this?

>   I fear strongly that this proposal will permanently wed people to the
>false belief that public key operations involve PKIs.

They won't if we add bare public keys.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: Summary of revised identity changes
  - From: Michael Thomas <mat@cisco.com>

References:
- Re: Summary of revised identity changes
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: Summary of revised identity changes
Next by Date: A security model for legacy authentication: username:passphrase
Prev by thread: Re: Summary of revised identity changes
Next by thread: Re: Summary of revised identity changes
Index(es):
- Date
- Thread