[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: me tarzan- me jane suggested text change

To: Ravi <ravivsn@roc.co.in>
Subject: Re: me tarzan- me jane suggested text change
From: "jpickering@creeksidenet.com" <jpickering@creeksidenet.com>
Date: Wed, 26 Mar 2003 10:13:15 -0500
CC: ipsec@lists.tislabs.com, charlie kaufman <Charlie_Kaufman@notesdev.ibm.com>
References: <3E809C69.3060102@creeksidenet.com> <3E81232C.7020002@roc.co.in>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20001108 Netscape6/6.0

Ravi, I guess the concensus I heard was that there are at least 2 reasons why we dont want to require this match: 1) Current difficulties in cert creation. This means that some folks want to share a cert between multiple identities. 2) Once you have a cert, there is confusion about how you extract an identity from the cert, ie there are too many options for inserting an ID into a PKIX cert. The conclusion is that there needs to be some way for a cert recipient to say that a cert is acceptable to be used by the sending identity. BUT, the identities claimed in ID payload and cert need not match. This is equivalent to saying acceptability is a local matter. Since this is a confusing point to more than one, I was suggesting that it be clarified in the spec. I do not believe that adding clarity about intent leads to increased interoperability problems. Jeff Ravi wrote: >In my view, making ID check is local matter might result in >deployment interoperability problem. I don't see any problem >in making sure that both ID in the payload and ID in the >certificate match with ID configured in the IKE policies. >That is, all three have to be same. Does anybody see problem >in comparing IDs and ensuring that they are same and making >this mandatory? > >Thanks for your time > >jpickering@creeksidenet.com wrote: >> >>Per the SF discussion surrounding whether the ID payload must match the ID >>in a presented cert, I would like to add my vote for increased clarity. To do so, >>I believe the following text represents the spirit of the WG: >> >>In section 2.15, to the sentence that states: >> >>"Optionally, messages 3 and 4 MAY include a certificate, or certificate chain providing evidence >>that the key used to compute a digital signature belongs to the name in the ID payload." >> >>Add the following" >> >>" The exact requirement for mapping the name in the ID payload to an acceptable key is a local matter >>and outside the scope of this document". >> >>Jeff > >-- > > >The views presented in this mail are completely mine. The company is not responsible for whatsoever. > >---------- >Ravi Kumar CH >Rendezvous On Chip (i) Pvt Ltd >Hyderabad, India >Ph: +91-40-2335 1214 / 1175 / 1184 > >ROC home page > >

Follow-Ups:
- Re: me tarzan- me jane suggested text change
  - From: Ravi <ravivsn@roc.co.in>

References:
- me tarzan- me jane suggested text change
  - From: "jpickering@creeksidenet.com" <jpickering@creeksidenet.com>
- Re: me tarzan- me jane suggested text change
  - From: Ravi <ravivsn@roc.co.in>

Prev by Date: Re: Text suggestion on computing keymat for rekey
Next by Date: Re: AES-based PRF for IKEv2
Prev by thread: Re: me tarzan- me jane suggested text change
Next by thread: Re: me tarzan- me jane suggested text change
Index(es):
- Date
- Thread