[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEV2: Issue #4 Revised Identity

To: ipsec@lists.tislabs.com
Subject: Re: IKEV2: Issue #4 Revised Identity
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 12 Feb 2003 04:25:32 -0500
In-reply-to: Your message of "11 Feb 2003 23:07:33 PST." <kjwuk6564q.fsf@romeo.rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes:
    Eric> Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:

    >> At 9:11 PM -0500 2/11/03, Greg Carter wrote: >Just so I am clear, with
    >> your Revised ID proposal the only way to achieve >certificate caching
    >> is if the IKE implementation supports retrieval of >certificates via
    >> http URLs?
    >> 
    >> Nope, nothing in the document says that. You can cache any certs you
    >> know about from any means, such as from people who sent them to you in
    >> IKE.

    Eric> Right, but how do you arrange to communicate what you've cached to
    Eric> the peer so that they send you the right certificate if your cache
    Eric> is invalid for some reason (assuming that you can't retrieve the
    Eric> right one with HTTP)?

  That's really not a problem for IKE.
  If the right goop isn't there, you loose.

  That's why we want to just send the URL (or URN if you want) where the
certificate, whatever chain you need, and maybe the CRL, can be
found. 
  Sending the whole thing makes total sense for TLS, and it works well for
HTTPS, SMTP(STARTTLS), but not for IKE over UDP.  Maybe IKE v3 will run over
SCTP... maybe not. 

  Honestly. With something like 80% of VPNs running pre-shared secrets
because there are multiple implementations out there that can't even cope
with importing or exporting even a self-signed certificate (or making it
so hard nobody bothers), I really do not think that we need any more 
esoteric situations.
  Once we have 90% of deployment running with public keys, and the rest doing
legacy auth, maybe with public keys assymetrically, then it will be time
worry about extended chain resolution etc... 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPkoTC4qHRg3pndX9AQHn3AP/cgnyLPnqxb90C4f2PXsyH2oHgoZjPkCY
Ee+kWZlhIVn9LIwsMiM9usuwZZXhV3JUI2f4j2ab9Qb7n7oJsXDlbBKtvInIHhq5
ckdSbxAYVm4vf6wdSXfyZ/h7W7gWwyJJKIstWblUHcWiL6sEV1jK27TMvI/rz8ND
tPSmphVdIXs=
=kLmg
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: IKEV2: Issue #4 Revised Identity
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: IKEV2: Issue #4 Revised Identity
  - From: Eric Rescorla <ekr@rtfm.com>

References:
- Re: IKEV2: Issue #4 Revised Identity
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: IKEV2: Issue #4 Revised Identity
Next by Date: RE: Modefg considered harmful
Prev by thread: Re: IKEV2: Issue #4 Revised Identity
Next by thread: Re: IKEV2: Issue #4 Revised Identity
Index(es):
- Date
- Thread