Re: Revised identity, again

[Cheryl Madson <cmadson@cisco.com>]

At 10:17 AM 1/31/2003, Paul Hoffman / VPNC wrote:

>This paragraph means that the many years of on-and-off discussion about 
>the lack of clarity of IKEv1 with respect to what does an ID payload mean 
>when using certificates is now ignored. The fact that there is vastly less 
>interoperability for certificate authentication than for preshared secret 
>authentication (or even XAUTH authentication!) is now irrelevant.
>
>According to the WG chairs, IKEv2 should use the same under-specified and 
>non-specified rules for certificate processing as IKEv1.
>
>Is this what the working group wants?

I've gone through *numerous* bakeoffs where vendors have implemented
different behaviors for various things related to certs. We've had several
meetings during bakeoffs to discuss this particular issue. Even if the
vendors are able to come to some sort of consensus during the bakeoff,
the WG has been extremely apathetic about any attempts to clarify things.

I argued that one of the requirements should be that any authentication
mechanism be fully specified in the context of SOI, or not be a candidate
mechanism. A series of random specs that someone has to figure out
how to piece together isn't an answer. [I also argued that the protocol
specification be flexible enough to allow future mechanisms.]

And I for one would sure hate to see certs excluded as a mechanism;
I do think it is an extremely useful mechanism.

But I'm also really tired of having to revisit the same issues years later
because we can't take the time to figure out in some detail what needs
to happen and to adequately specify things.

thx - C



====================================
Cheryl Madson
Core IP Engineering; Security and Services
Cisco Systems, Inc.
cmadson@cisco.com