[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Confirm decision on identity handling.



==Attempted summary of thread to date:
- Paul proposed final text.

- Gregory thought it was a bit too loose for interop, and proposed text with
same intent, just more explicit (or at least I tried to). This text made it
clear that interoperability bar is satisfied when when ID payload is used
with certs and no connection is made between the two. It allowed for other
use cases, but these would be implementation specific, and (honestly) are
not guaranteed to interoperate.

- Scott asserts that in order to guarantee interoperability, as a
responder I will need to have the ability to ignore the ID payload and
parse the cert instead for policy lookup, so why not simply treat the cert
as the ID in this case, and not add superfluous ID payloads which someone
may or may not ignore? Scott wants it as cut and dry as possible, for the
sake of interop.

- Jim K. would like the option to be able to use ID payload for policy
lookup, and cert contents for credentials. 

- we need something for policy lookup when the cert is not included in the
exchange, but are used. ID payload is a way to do this.

== In order to finalize something, I would like to re-assert my proposed
text and ask for either replacement text or to ratify this text:

Goals of text:
> - the base interoperable way is DO NOT CHECK ID matches cert. This is the
only guaranteed interoperable way.
> - implementations MUST be able to handle IDs that do not 
> match cert contents
> - implementations MAY be configured to match.
> - Matching will only interoperate if both sides support the 
> feature and have matching turned on. (ie, we may not get good interop
here)
> 
> Proposed Text:
> The Identification Payload, denoted ID in this memo, allows peers to
> assert an identify to one another. The receiver will 
> interpret the identity
> payload as a unique identity string for policy lookup in its SPD.
> Implementations MUST NOT mandate a check that the ID match 
> anything in the
> certificate presented, and therefore MUST be able to accept 
> the case where
> the identity presented does NOT match the certificate contents. 
> 
> To allow for more stringent local security policy, 
> implementations MAY offer
> a configuration option to check that the idenity presented in 
> the identity
> payload matches the equivalent identity type in the presented 
> certificate.
> In such a case, interoperability will only be achieved by two 
> consenting
> parties who both have such configuration options available on their
> respective gateways and who both enable the option. 


 Gregory.