[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Auth Method
"Valery Smyslov" <svan@trustworks.com> wrote:
> In message http://www.vpnc.org/ietf-ipsec/mail-archive/msg02440.html
> Charlie Kaufman wrote:
>
> Unless someone objects, I'll add a specifier of the
> authentication data type, of which we currently have 3: RSA
> signature,
> DSA signature, and shared key HMAC.
>
> So, the original intention was to make Auth Type more specific than we
> have now, indicating what particular digital signature algorithm was
used.
> I'm curious what was the rationale to change that intention.
I really need a better filing system for things I say I will do unless
someone objects. In this case, I remembered to add the type code, but
forgot that you wanted separate ones for RSA vs DSA. I've now added a third
code value for DSA.
> Another issue - how each side can advertise auth methods she supports.
> In the same message there was some discussion on this topic and
> suggestion to use CertRequest Payload for that purpose. Unfortunately,
> it hasn't been done. Why? Are there strong objections against it?
I'm not convinced this is useful. It is only useful when one side can use
more than one set of credentials to authenticate and can't figure out which
the other side would prefer based on the CERTREQ. If we were to support
such a capability, my preference would be to put it in a NOTIFY payload
that the other end would be free to ignore if it didn't want to support
this case.
I don't think there were strong objections last time around, but neither
did I hear a groundswell of support. As I noted then, this could easily be
added to the protocol later in a backward compatible way if we discovered
we needed it.
--Charlie
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
- References:
- Auth Method
- From: "Valery Smyslov" <svan@trustworks.com>