[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEV2: Issue #4 Revised Identity
Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
> That's really not a problem for IKE.
> If the right goop isn't there, you loose.
Uh, then why bother having caching at all? If you're going
to have caching you have to have cache invalidation.
> That's why we want to just send the URL (or URN if you want) where the
> certificate, whatever chain you need, and maybe the CRL, can be
> found.
And if the implementation can't do HTTP you're completely SOL--or
rather you have to send the whole chain over UDP, which is
what you say you're trying to avoid.
> Honestly. With something like 80% of VPNs running pre-shared secrets
> because there are multiple implementations out there that can't even cope
> with importing or exporting even a self-signed certificate (or making it
> so hard nobody bothers), I really do not think that we need any more
> esoteric situations.
It's my view that part of REASON that so many implementations run shared
secrets is that IKE certificate handling is so screwed up.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/