[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.



Hi Jim,

I trimmed most of this in order to focus on one point:

jknowles@SonicWALL.com wrote:
> 
> Then we could say there is no other IKEv2-defined relationship
> between ID and CERT and that implementations MAY define such
> relationships locally at their own extreme interoperable peril.

I must be missing something really obvious here. If we don't assume
anything about the initiator (e.g. that it can be trusted to put an
"appropriate" policy selector in the ID payload), then I think there
must be security issues with blindly using whatever is passed as a
policy selector, with no defined verification mechanism. As an aside,
exactly what does your client put into the ID payload?

It still sounds to me like we're trying to standardize proprietary
behavior here. What am I missing?

Scott