[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Me Tarzan, You Jane" in IKEv2-05

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: "Me Tarzan, You Jane" in IKEv2-05
From: dharkins@tibernian.com
Date: Tue, 18 Mar 2003 09:16:23 -0800
cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Mon, 17 Mar 2003 16:52:30 PST." <200303180052.h2I0qUVE013337@marajade.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com

  How does the responder pick the right private key? You haven't
said how "sales@lox.sandelman.ca" is uniquely bound to a key in the
first place. For the standard way of binding identities to keys you
can use the standard way of conveying this information-- a CERT_REQUEST
payload with DN equal to the issuer of the certificate whose DN contains
sale@lox.sandelman.ca and whose public key corresponds to the
private key you want the responder to use.

  If you're not using some standard way of binding opaque strings
(that may *look* like email names but are not necessarily) then
you can use a proprietary method to convey the necessary information
for your proprietary scheme. Use a private use payload with the
generic header and _do not set the critical bit_. 

  But you don't need to force everyone to implement a mechanism
that will not be used just so you can do some proprietary key
binding scheme between yourselves.

  Dan.

On Mon, 17 Mar 2003 16:52:30 PST you wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> >>>>> "Geoffrey" == Geoffrey Huang <ghuang@cisco.com> writes:
>     Geoffrey> Interesting, but I'm still convinced that the responder can use
>     Geoffrey> the initiator's identity to determine how to respond.  I'm not
>     Geoffrey> certain how a process-to-process tunnel would look exactly,
>     Geoffrey> though. 
> 
>   Please explain to me how the responder can do this.
> 
>   My telnet process will say, quite simply, to the kernel:
> 
>   My ID  = mcr@marajade.dasblinkenled.org
>   YourID = sales@lox.sandelman.ca
> 
>   (To login to the "sales" account that I have)
> 
>   Using ME-tarzan/You-Jane, my IKE would say:
> 
>   ME =mcr@marajade.dasblinkenled.org
>   YOU=sales@lox.sandelman.ca
> 
>   Without ME-Tarzan/You-Jane, the IKE would say:
> 
>   ME=mcr@marajade.dasblinkenled.org
> 
>   How does the responder pick the right private key to respond with?
> 
> ]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls 
> [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architec
>t[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device drive
>r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
> [
> 
> 	
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Finger me for keys
> 
> iQCVAwUBPnZtzIqHRg3pndX9AQHTPgQA2WOw07CC8s2KU24n3cYCz497Q3heHyax
> 9wP3iQ6JVHYdmSSTUKCLH5iM5GbuKfR+aLXs5Ky7jrF8oR6Jdo9+jBX1y0ZalqLq
> ZcwbdHzI8ci8mB1BEKJfd9k71yaMoMHoQcqOgM4zZDk64itjTH0C4i2fZmCDf04Z
> IP42w1Xn6XY=
> =/HdE
> -----END PGP SIGNATURE-----

Follow-Ups:
- Re: "Me Tarzan, You Jane" in IKEv2-05
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: "Me Tarzan, You Jane" in IKEv2-05
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Re: "Me Tarzan, You Jane" in IKEv2-05
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: ikev2-05: encrypted payload, next payload field
Next by Date: Re: "Me Tarzan, You Jane" in IKEv2-05
Prev by thread: Re: "Me Tarzan, You Jane" in IKEv2-05
Next by thread: Re: "Me Tarzan, You Jane" in IKEv2-05
Index(es):
- Date
- Thread