Re: "Me Tarzan, You Jane" in IKEv2-05

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "dharkins" == dharkins  <dharkins@tibernian.com> writes:
    dharkins> How does the responder pick the right private key? You haven't
    dharkins> said how "sales@lox.sandelman.ca" is uniquely bound to a key in
    dharkins> the first place. For the standard way of binding identities to
    dharkins> keys you can use the standard way of conveying this
    dharkins> information-- a CERT_REQUEST payload with DN equal to the

  I do not speak PKIX, so please explain this to me again.
  Based upon deployment experience with IPsec, neither does anyone else.
 
  If you are saying that PKIX is a *REQUIREMENT* for doing IPsec with IKEv2,
then I'll stick to IKEv1.  
  If your answer is YES, to the above, then we can stop doing any of the
legacy authentication things as well. Many people will be a lot happier.

  Raw RSA keys is a stepping stone between PSK and full-X.509. It works.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPneJ7YqHRg3pndX9AQEV8QP5AZTiisM1sd6pMq+ppI97DLxW2uJmhSiF
vgb1ZzRCeaf3j7e/B3Ixmv4s2PmXRW6zhH/cPSPv2/WRFh0foiipBAQcPAEE7x1c
wUyKZUgWunJSn6tAASV2iu8hy+pJX6y/FCF3PZ68a6aDvHCUhUObsZu79LR+ciF/
Z4XMWJPjR1M=
=pS7r
-----END PGP SIGNATURE-----