[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Scott" == Scott G Kelly <scott@airespace.com> writes:
Scott> If the cert contents are not meaningful to the receiver, the
Scott> discussion is moot, is it not?
>> Not entirely. If the cert contents is not meaningful to the receiver,
>> and the sender does not send an ID payload, then the negotiation fails.
Scott> I think we're talking past one another here. I meant that if the
Scott> contents aren't meaningful to the receiver, the receiver most
Scott> likely can't parse the cert or use the public key contained
Scott> therein. I think
Imagine a situation where the receiver has been made aware of the sender's
public key, and it has been attached to an ID that the sender is expected to
use.
(remember, this may even occur by trial-and-error, plus reading of logs by
the receiver!)
The receiver can't parse the CERT in real time, but they can attach the
public key. So, if you drop the ID, then the protocols gets weird, and the
receiver can't cope.
>> As an alternative, how about:
>>
>> ID_PKIX_CERT 12
>>
>> No identifier is provided, derive one from the provided certificate.
Scott> This is essentially what Jim Knowles proposed (I think), and I think
Scott> this is a reasonable compromise. However, I think it will only
Scott> improve interoperability if all implementations are required to
Scott> support it.
Unless we make CERTs a MUST, you won't get that.
But, I keep suggesting that VPNs should have a difference set of MUSTs.
Let's not mix up different applicability situations.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPra8M4qHRg3pndX9AQG6qgQAsNprZgmPOH3nxC3503MgmBYupl5Eczzt
epEY5NaVrHZsKzRj+bMKJ4kGWfBYK04ML9xj8Ykuo/pc4P+E0J52dHylEO9iMR5U
LN8GND6hymgve4F14axhCXnq8Da64ydKjndb42RbplYRwDYiH33R1dkJczXX3XeM
gtyEMDH6jtc=
=cYDm
-----END PGP SIGNATURE-----