Re: Confirm decision on identity handling.

[Stephen Kent <kent@bbn.com>]

At 3:25 PM -0400 4/11/03, Theodore Ts'o wrote:
>On Wed, Apr 09, 2003 at 05:53:10PM -0700, Paul Hoffman / VPNC wrote:
>>
>>  We are better off with just the first sentence and a revision of the
>>  one proposed here by Ted:
>>
>>     The Identification Payload, denoted ID in this memo, allows peers to
>>     assert an identify to one another. This identity may be used for policy
>>     lookup, but does not necessarily have to match anything in the CERT
>>     payload; both fields may be used by an implementation to perform
>>     access control decisions.
>
>Paul's proposed revision seems clearer and reflects the discussion in
>San Francisco.  Does anybody have any problems with this text, or
>should we just go with it?
>
>							- Ted

I do have a problem with the proposed text. If we leave the 
interpretation of this payload as a local matter, then we have not 
basis for predictable interoperability, other than the trivial case 
that Paul describes as what "sensible" implementations will do, which 
is to ignore the payload value.

If we believe there is a use for the payload, the  we need to nail 
down how to use it. I am sensitive to the arguments that Paul made in 
SF about how hard it is today to decide how to match cert data 
against this field. I trust his characterization of the difficult of 
the problem. But, that just says that we failed to do the job the 
first time around (in IKE v1 and in 2401) and as a result we have a 
mess. If we adopt the language Paul has proposed, we perpetuate the 
problem.

Is it fair to say that the problem here is that we are in a hurry to 
get IKE done, resolution of this issue will take some time and 
effort, and nobody has volunteered to address the problem in a timely 
fashion?

Steve