Re: IKEV2: Issue #4 Revised Identity

[Eric Rescorla <ekr@rtfm.com>]

Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
>   That's really not a problem for IKE.
>   If the right goop isn't there, you loose.
Uh, then why bother having caching at all? If you're going
to have caching you have to have cache invalidation.

>   That's why we want to just send the URL (or URN if you want) where the
> certificate, whatever chain you need, and maybe the CRL, can be
> found. 
And if the implementation can't do HTTP you're completely SOL--or
rather you have to send the whole chain over UDP, which is
what you say you're trying to avoid.

>   Honestly. With something like 80% of VPNs running pre-shared secrets
> because there are multiple implementations out there that can't even cope
> with importing or exporting even a self-signed certificate (or making it
> so hard nobody bothers), I really do not think that we need any more 
> esoteric situations.
It's my view that part of REASON that so many implementations run shared
secrets is that IKE certificate handling is so screwed up.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/