[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
At 3:25 PM -0400 4/11/03, Theodore Ts'o wrote:
>On Wed, Apr 09, 2003 at 05:53:10PM -0700, Paul Hoffman / VPNC wrote:
>>
>> We are better off with just the first sentence and a revision of the
>> one proposed here by Ted:
>>
>> The Identification Payload, denoted ID in this memo, allows peers to
>> assert an identify to one another. This identity may be used for policy
>> lookup, but does not necessarily have to match anything in the CERT
>> payload; both fields may be used by an implementation to perform
>> access control decisions.
>
>Paul's proposed revision seems clearer and reflects the discussion in
>San Francisco. Does anybody have any problems with this text, or
>should we just go with it?
>
> - Ted
I do have a problem with the proposed text. If we leave the
interpretation of this payload as a local matter, then we have not
basis for predictable interoperability, other than the trivial case
that Paul describes as what "sensible" implementations will do, which
is to ignore the payload value.
If we believe there is a use for the payload, the we need to nail
down how to use it. I am sensitive to the arguments that Paul made in
SF about how hard it is today to decide how to match cert data
against this field. I trust his characterization of the difficult of
the problem. But, that just says that we failed to do the job the
first time around (in IKE v1 and in 2401) and as a result we have a
mess. If we adopt the language Paul has proposed, we perpetuate the
problem.
Is it fair to say that the problem here is that we are in a hurry to
get IKE done, resolution of this issue will take some time and
effort, and nobody has volunteered to address the problem in a timely
fashion?
Steve