[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Confirm decision on identity handling.



Hi Scott,

I don't like banning ID payloads when using certs.
The ID check against policy is cheap compared to
cert sig processing so I'd like to have the option
of checking for policy match prior to cert processing.
I'm also not sure how I look up the policy without
an ID payload.

I think the purpose of the ID payload when using
certs is (was) to specify which of several possible IDs
contained in the cert should be used for policy
lookup.  Unfortunately, the mapping was never
clearly defined.  De-coupling the ID from the cert
allows the lookup as well and avoids the ID-to-cert
mapping mess.  I guess all that we lose is the direct
authentication of the ID (if in the cert) by the
issuing authority.  Since the ID is ultimately signed
anyway, we don't lose too much.  It's true that
someone holding the private key could send a rogue
identity that is not directly confirmed by the CA/RA.
Depending on your views of PKI, that could be good
or bad :-).  As local policy, we can mandate the
ID-to-cert mapping as we wish.  We just need to
provide the knobs and levers to specify interoperable
mappings.

Regards,

Jim


> -----Original Message-----
> From: Scott G. Kelly [mailto:scott@airespace.com]
> Sent: Tuesday, April 22, 2003 10:53 AM
> To: ipsec@lists.tislabs.com
> Subject: Re: Confirm decision on identity handling.
> 
> 
> 
> Just wanted to comment on this: I agree with Paul. Since we seem
> unable to produce a coherent specification with respect to PKI-related
> policies, when using certs the ID payload should not be present. If we
> cannot agree on this, then the next best position is that the 
> ID payload
> must exactly match an identity contained in the cert. Anything else
> leads to utter confusion and confounds interoperability.
> 
> I can't believe that after so many years, we are still 
> paralyzed w.r.t.
> this topic. What a farce. For the last several weeks, I've been trying
> to get several ostensibly mature implementations to interoperate using
> certs, and I've not had much success. How sad.
> 
> Scott
>