[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: ipsec@lists.tislabs.com
Subject: Re: Confirm decision on identity handling.
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 22 Apr 2003 16:17:11 -0400
In-reply-to: Your message of "Tue, 22 Apr 2003 10:52:46 PDT." <3EA5816E.FA07BD95@airespace.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Scott" == Scott G Kelly <scott@airespace.com> writes:
    Scott> Just wanted to comment on this: I agree with Paul. Since we seem
    Scott> unable to produce a coherent specification with respect to
    Scott> PKI-related 
    Scott> policies, when using certs the ID payload should not be
    Scott> present. If we 

  I would agree, that if you said:

  When using a PKIX-style certificate which is provided in a CERT payload
that the ID payload should not be set to anything other than ID_DER_ASN1_DN
or ID_DES_ASN1_GN.
  The provided GN or DN MUST be identical to that in the certificate.
 (It is redundant, I agree)
  The appropriate policy can clearly be looked up by GN/DN.
  So, I just don't get it. 

  It seems to me that if you are using a pre-exchanged certificate, or other
out-of-band certificate retrival system, that all ID payload types are
useful. 
  
    Scott> this topic. What a farce. For the last several weeks, I've been
    Scott> trying 
    Scott> to get several ostensibly mature implementations to interoperate
    Scott> using 
    Scott> certs, and I've not had much success. How sad.

  The last time I tried this, it all failed because implementations could
not produce PKCS10 certificate requests, nor could they load self-signed
certificates. So there was no way to get public keys to the other side.  
  How have things "improved"?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPqWjRYqHRg3pndX9AQEKBAP+IvtYigYs6g3IH+ZW/BfGqjSqPqhM1DTq
lXQwqJcY1QXVCBaDdLZz0n2VxnAHerJM9SHwfzrRfEuhoml1vAKkQfw2qgw+xs74
o7tiAY+UtgntZAuKfX+kBeOBrKsM6AkoAyy/Ay5IR4m7j2AaJw6ml6pb9sjxDIo7
swn9K7+kIxU=
=biU5
-----END PGP SIGNATURE-----

References:
- Re: Confirm decision on identity handling.
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-ikev2-07.txt
Next by Date: RE: Confirm decision on identity handling.
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: RE: Confirm decision on identity handling.
Index(es):
- Date
- Thread