[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "Me Tarzan, You Jane" in IKEv2-05
How does the responder pick the right private key? You haven't
said how "sales@lox.sandelman.ca" is uniquely bound to a key in the
first place. For the standard way of binding identities to keys you
can use the standard way of conveying this information-- a CERT_REQUEST
payload with DN equal to the issuer of the certificate whose DN contains
sale@lox.sandelman.ca and whose public key corresponds to the
private key you want the responder to use.
If you're not using some standard way of binding opaque strings
(that may *look* like email names but are not necessarily) then
you can use a proprietary method to convey the necessary information
for your proprietary scheme. Use a private use payload with the
generic header and _do not set the critical bit_.
But you don't need to force everyone to implement a mechanism
that will not be used just so you can do some proprietary key
binding scheme between yourselves.
Dan.
On Mon, 17 Mar 2003 16:52:30 PST you wrote
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Geoffrey" == Geoffrey Huang <ghuang@cisco.com> writes:
> Geoffrey> Interesting, but I'm still convinced that the responder can use
> Geoffrey> the initiator's identity to determine how to respond. I'm not
> Geoffrey> certain how a process-to-process tunnel would look exactly,
> Geoffrey> though.
>
> Please explain to me how the responder can do this.
>
> My telnet process will say, quite simply, to the kernel:
>
> My ID = mcr@marajade.dasblinkenled.org
> YourID = sales@lox.sandelman.ca
>
> (To login to the "sales" account that I have)
>
> Using ME-tarzan/You-Jane, my IKE would say:
>
> ME =mcr@marajade.dasblinkenled.org
> YOU=sales@lox.sandelman.ca
>
> Without ME-Tarzan/You-Jane, the IKE would say:
>
> ME=mcr@marajade.dasblinkenled.org
>
> How does the responder pick the right private key to respond with?
>
> ] ON HUMILITY: to err is human. To moo, bovine. | firewalls
> [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architec
>t[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device drive
>r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
> [
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Finger me for keys
>
> iQCVAwUBPnZtzIqHRg3pndX9AQHTPgQA2WOw07CC8s2KU24n3cYCz497Q3heHyax
> 9wP3iQ6JVHYdmSSTUKCLH5iM5GbuKfR+aLXs5Ky7jrF8oR6Jdo9+jBX1y0ZalqLq
> ZcwbdHzI8ci8mB1BEKJfd9k71yaMoMHoQcqOgM4zZDk64itjTH0C4i2fZmCDf04Z
> IP42w1Xn6XY=
> =/HdE
> -----END PGP SIGNATURE-----