[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEV2: Issue #4 Revised Identity

To: ipsec@lists.tislabs.com
Subject: Re: IKEV2: Issue #4 Revised Identity
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 12 Feb 2003 15:55:48 -0500
In-reply-to: Your message of "Wed, 12 Feb 2003 12:27:00 +0100." <200302121127.h1CBR0of094935@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Francis" == Francis Dupont <Francis.Dupont@enst-bretagne.fr> writes:
    mcr> because there are multiple implementations out there that can't
    mcr> even cope with importing or exporting even a self-signed
    mcr> certificate (or making it so hard nobody bothers), I really do
    mcr> not think that we need any more esoteric situations.

    Francis> => I can't parse your conclusion: do you support or not the
    Francis> revised identity proposal for IKEv2?

  I support:
    http://www.sandelman.ca/ipsec/2002/12/msg00250.html

  I specifically am not interesting in tilting at the wind "what if" for
certificate retrival. I.e. the problems that Eric described. I'm sure that
they are real problems. They are just so far away from where we are now, that
I do not think that we can engineer a proper solution to them.

    Francis> => IMHO a large part of the issue comes from the network access
    Francis> control (the AAA) done by IKE when IKE has no native interface
    Francis> with an AAA system.  The PKI stuff should be integrated with
    Francis> legacy authentication in order to provide a native AAA interface
    Francis> in charge of the strong authentication with authorization and
    Francis> accounting as goodies...

  An IKE gateway can talk AAA, or radius, or COPS, or whatever it likes.
  We suffer greatly because there are vendors who think that they can read
one document and implement an entire solution to a wide set of
problems. Actually, I doubt any of the real problem ones are still in
business :-)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPkq00oqHRg3pndX9AQFFXQQA1LnbIGB6var2FJ7C3OiuCIEBCbpEMZpa
ciBJz8/M2mRX979uxjvT7IMLrUZP1PZPK6dCef2NcbDrJOq5xPeENTyfqdBrIayI
pT3xqXGFdspOz9EwQ22QxDqlpVuXOyeNCyb6KcqG8FNNT4IzXSPrJlTJUnR97EUL
uXLgTU2OOig=
=hCWI
-----END PGP SIGNATURE-----

References:
- Re: IKEV2: Issue #4 Revised Identity
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: IKEV2: Issue #4 Revised Identity
Next by Date: Ready for IETF Last Call draft-ietf-ipsec-dpd-01.txt
Prev by thread: Re: IKEV2: Issue #4 Revised Identity
Next by thread: Re: IKEV2: Issue #4 Revised Identity
Index(es):
- Date
- Thread