[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Confirm decision on identity handling.



Hi Paul,

Right, but 2407 says:

"When an IKE exchange is authenticated using certificates
(of any format), any ID's used for input to local policy
decisions SHOULD be contained in the certifcate used in
the authentication of the exchange."

So, we've got a relationship betweed ID payload, cert,
and policy.  Maybe I've overextended that relationship.

Regards,

Jim

> -----Original Message-----
> From: Paul Hoffman / VPNC [mailto:paul.hoffman@vpnc.org]
> Sent: Wednesday, April 23, 2003 3:30 PM
> To: Jim Knowles; scott@airespace.com; ipsec@lists.tislabs.com
> Subject: RE: Confirm decision on identity handling.
> 
> 
> At 11:47 AM -0700 4/23/03, jknowles@SonicWALL.com wrote:
> >I think the purpose of the ID payload when using
> >certs is (was) to specify which of several possible IDs
> >contained in the cert should be used for policy
> >lookup.
> 
> There is nothing in the IKEv2 spec that says this, and there is 
> nothing in RFC 2409 that says this. Hence, the desire for more 
> specificity in IKEv2.
> 
> --Paul Hoffman, Director
> --VPN Consortium
>