[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEV2: Issue #4 Revised Identity

To: ipsec@lists.tislabs.com
Subject: Re: IKEV2: Issue #4 Revised Identity
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 12 Feb 2003 16:01:18 -0500
In-reply-to: Your message of "12 Feb 2003 07:22:10 PST." <kjof5h5xst.fsf@romeo.rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes:
    Eric> Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
    >> That's really not a problem for IKE.  If the right goop isn't there,
    >> you loose.

    Eric> Uh, then why bother having caching at all? If you're going to have
    Eric> caching you have to have cache invalidation.

  Don't all these fancy certificates come with expiry dates? 
  Maybe the HTTP URL access mechanism means to do:
	s/(.*)\.cert$/\1.crl$/

  and that's where you find the crl. I don't know. I punt to pkix to decide
what the "URL" means. I think that there are documents now that tell me
how to get stuff via HTTP, right?

    >> That's why we want to just send the URL (or URN if you want) where the
    >> certificate, whatever chain you need, and maybe the CRL, can be found.

    Eric> And if the implementation can't do HTTP you're completely SOL--or
    Eric> rather you have to send the whole chain over UDP, which is what you
    Eric> say you're trying to avoid.

  No, if the implementation can't do HTTP, then I buy another implementation,
or I preconfigure the appropriate chain, or I simplify the trust model.

  The problem that people doing certificates keep running into is that they 
keep thinking that they are building the "global PKI" and run into how do
two random people communicate securely, even though there isn't a global PKI.

  This is why you say things like this - you assume that the two parties are
random people and don't have any clue about each other's situation. So far,
there isn't anyone that wants to do this kind of thing that is using pkix
certificates. 90% of deployed certificate based VPNs are inside a single
enterprise.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPkq2HYqHRg3pndX9AQH77QP/bli4+FYhmJHuDUzJduT2e8vfTfS7vt8K
lIwWpTfWYnrPc38KNi0Duh22Wi7nwoSmNaCxRAqtz5misXvJhCGXOyeTJE2s591+
KHSVfA+KPKGzIBVbbeP7ddfBLTzgGwDxVCjGuFUsrSIhL1vHL7PtoLMVyMelPKhm
tRL9Z94qNTE=
=bVXd
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: IKEV2: Issue #4 Revised Identity
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: IKEV2: Issue #4 Revised Identity
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

References:
- Re: IKEV2: Issue #4 Revised Identity
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: IKEV2: Issue #4 Revised Identity
Next by Date: Re: IKEV2: Issue #4 Revised Identity
Prev by thread: Re: IKEV2: Issue #4 Revised Identity
Next by thread: Re: IKEV2: Issue #4 Revised Identity
Index(es):
- Date
- Thread