[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: "Scott G. Kelly" <scott@airespace.com>
Subject: Re: Confirm decision on identity handling.
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 05 May 2003 15:32:05 -0400
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Mon, 05 May 2003 10:13:17 PDT." <3EB69BAD.F3CCB359@airespace.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Scott" == Scott G Kelly <scott@airespace.com> writes:
    Scott> If the cert contents are not meaningful to the receiver, the
    Scott> discussion is moot, is it not?

    >> Not entirely. If the cert contents is not meaningful to the receiver,
    >> and the sender does not send an ID payload, then the negotiation fails.

    Scott> I think we're talking past one another here. I meant that if the
    Scott> contents aren't meaningful to the receiver, the receiver most
    Scott> likely can't parse the cert or use the public key contained
    Scott> therein. I think 

  Imagine a situation where the receiver has been made aware of the sender's
public key, and it has been attached to an ID that the sender is expected to
use. 
  (remember, this may even occur by trial-and-error, plus reading of logs by
the receiver!) 

  The receiver can't parse the CERT in real time, but they can attach the
public key. So, if you drop the ID, then the protocols gets weird, and the
receiver can't cope.

    >> As an alternative, how about:
    >> 
    >> ID_PKIX_CERT                      12
    >> 
    >> No identifier is provided, derive one from the provided certificate.

    Scott> This is essentially what Jim Knowles proposed (I think), and I think
    Scott> this is a reasonable compromise. However, I think it will only
    Scott> improve interoperability if all implementations are required to
    Scott> support it. 

  Unless we make CERTs a MUST, you won't get that.
  But, I keep suggesting that VPNs should have a difference set of MUSTs.

  Let's not mix up different applicability situations.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPra8M4qHRg3pndX9AQG6qgQAsNprZgmPOH3nxC3503MgmBYupl5Eczzt
epEY5NaVrHZsKzRj+bMKJ4kGWfBYK04ML9xj8Ykuo/pc4P+E0J52dHylEO9iMR5U
LN8GND6hymgve4F14axhCXnq8Da64ydKjndb42RbplYRwDYiH33R1dkJczXX3XeM
gtyEMDH6jtc=
=cYDm
-----END PGP SIGNATURE-----

References:
- Re: Confirm decision on identity handling.
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: IPSEC in High Availability scenarios
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread