[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Revised identity, again
Yeah - what Cheryl said.
Scott
Cheryl Madson wrote:
>
> At 10:17 AM 1/31/2003, Paul Hoffman / VPNC wrote:
>
> >This paragraph means that the many years of on-and-off discussion about
> >the lack of clarity of IKEv1 with respect to what does an ID payload mean
> >when using certificates is now ignored. The fact that there is vastly less
> >interoperability for certificate authentication than for preshared secret
> >authentication (or even XAUTH authentication!) is now irrelevant.
> >
> >According to the WG chairs, IKEv2 should use the same under-specified and
> >non-specified rules for certificate processing as IKEv1.
> >
> >Is this what the working group wants?
>
> I've gone through *numerous* bakeoffs where vendors have implemented
> different behaviors for various things related to certs. We've had several
> meetings during bakeoffs to discuss this particular issue. Even if the
> vendors are able to come to some sort of consensus during the bakeoff,
> the WG has been extremely apathetic about any attempts to clarify things.
>
> I argued that one of the requirements should be that any authentication
> mechanism be fully specified in the context of SOI, or not be a candidate
> mechanism. A series of random specs that someone has to figure out
> how to piece together isn't an answer. [I also argued that the protocol
> specification be flexible enough to allow future mechanisms.]
>
> And I for one would sure hate to see certs excluded as a mechanism;
> I do think it is an extremely useful mechanism.
>
> But I'm also really tired of having to revisit the same issues years later
> because we can't take the time to figure out in some detail what needs
> to happen and to adequately specify things.
>
> thx - C
>
> ====================================
> Cheryl Madson
> Core IP Engineering; Security and Services
> Cisco Systems, Inc.
> cmadson@cisco.com