[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEV2: Issue #4 Revised Identity

To: Brian Korver <briank@briank.com>
Subject: Re: IKEV2: Issue #4 Revised Identity
From: Pekka Riikonen <priikone@iki.fi>
Date: Thu, 13 Feb 2003 22:20:44 +0100 (CET)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <BA714702.3D0A%briank@briank.com>
References: <BA714702.3D0A%briank@briank.com>
Sender: owner-ipsec@lists.tislabs.com


: > opportunisticly) to get the remote's cert so that you can make the
: > decision whether you trust it or not (say, ask it from user), would not
: > work since the IKEv2 (and pki-profile) says it's MUST NOT to send empty
: > CR.
:
: Could you provide a use case where this is a problem?  Let's say that I
: know I trust CAs A and B, and I tell you that I trust them by sending
: you CERTREQ payloads containing the DNs of these two CAs.  If you don't
: have a certificate backed by A or B, we have no common ground and I
: cannot hope to authenticate you, so IKE fails.  Are you thinking
: opportunistic IPSec?
:
One case is opportunistic IPSec, second is use of self-signed certs.
Assuming your friend has only a self-signed cert it would be nice to get
that cert in IKE so that you could cache it (and verify it, sign it, etc).

	Pekka
___________________________________________________________________________
 Pekka Riikonen                    | Email: priikone@iki.fi
 SILC - http://silcnet.org/        | http://iki.fi/priikone/
 Tel. +358 (0)40 580 6673          | Snellmanninkatu 34 A 15, 70100 Kuopio
 PGP KeyID A924ED4F: http://iki.fi/~priikone/pubkey.asc

References:
- Re: IKEV2: Issue #4 Revised Identity
  - From: Brian Korver <briank@briank.com>

Prev by Date: Re: a proposal of address management for IKEv2
Next by Date: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Prev by thread: Re: IKEV2: Issue #4 Revised Identity
Next by thread: Re: IKEV2: Issue #4 Revised Identity
Index(es):
- Date
- Thread