[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: ipsec@lists.tislabs.com
Subject: Re: Confirm decision on identity handling.
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 30 Apr 2003 18:17:01 -0400
In-reply-to: Your message of "Wed, 30 Apr 2003 09:42:14 PDT." <3EAFFCE6.1BB90EFC@airespace.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


Scott, to summarize, your summary:

*If* using public keys carried in CERTs
AND  there is a CERT payload
AND  the CERT contents are meaningful to the receiver
THEN the ID payload is superfluous for the sender.

(I avoid initiator/responder here on purpose)

***************** please confirm *************

The problem that I have with this is that sender is making
an assumption about the responder. 

Right now, I can make a system that does not support certificates
in the IKE *at all* interoperate with one that does by taking
the certificate (which I might get in a CERT payload written
to disk or logged), extracting the public key and putting it
into my configuration file/into DNS/etc.

How do I know this? I do it all the time. That's how one gets
RACOON and FreeSWAN to interoperate using RSA public keys. Every night
my NetBSD backup server talks to a dozen FreeSWAN boxes to back them up.
Did it take configuration? Yes. Of course. I don't know of any VPNs
that do not take some configuration.

So, my problem with dropping the ID payload is that you are depending upon
the sender to know details about the receiver. If you know all of those
details, why not just copy the public keys? (Oh, yeah. You told me.
Because some products are just broken)

So, the situation where all of your conditions hold true is the 
road warrior case, where access is granted not by configuration, but
by permitting any client to connect that has a certificate signed by
some CA.

I.e. the situation where you can omit the ID payload is one the
one where you have intentionally mixed authentication with authorization. 

So, I'd vote not to do this.

I can't say that I'd be happy about the current document if I was payed
to care a lot of PKIX. In fact, I'd be fuming.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [










-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPrBLXIqHRg3pndX9AQEaLgQAqlqKxI7ICD8z3PXPhi5ciK7vWcnJm38b
eb4Czyv0NeHDfdvDnhhAaIQIj7k4ipviZ7BSvx1cVLhlcR07f/aMXyPg/X39HUyy
6uLRMd1UWTaN5WwXLPEWVMyRfjPXlCflF3Ndf28VVUAetwI8g1T0IvuxeaQUehWU
dSJSozMrywo=
=7Ysx
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: "Scott G. Kelly" <scott@airespace.com>

References:
- Re: Confirm decision on identity handling.
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: ISAKMP and SSL
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread