Re: Confirm decision on identity handling.

["Scott G. Kelly" <scott@airespace.com>]

Hi Gregory,

Gregory Lebovitz wrote:
<trimmed...> 
> you could, but there are plenty of cases (the roaming user) where there is
> no need. Those of us advocating the disassociation are not saying 100%
> disassociate. We are saying make the base-line MUST disassociation, but
> allow the user's the ability in configuration to associate and look for ID
> in a certain place in the cert IF THEY WANT. That way, the 10% of the cert
> users that want to associate will get what they need, and the rest of the
> 90% will have something that works easily.
> 
> This is the basic convenience vs. security continuum. Our job as protocol
> designers is to give the people something they can use. 20% want it super
> secure at the cost of convenience. 80% want it secure, but convenient, and
> are willing to make the trade-off from the super-secure. The text I proposed
> tried to reach this goal.

In terms of convenience, I can't think of a more convenient way to
configure a cert-authenticated tunnel for an ipsec client than by saying
"use this cert" and leaving it at that. Having to select a cert *and* an
ID is not simpler than just selecting a cert. This may be slightly less
convenient for the one who codes the receiver (since the receiver now
has to extract an ID from the cert prior to doing a policy lookup), but
forcing the client configuration to contain an ID acceptable to the sgw
is not, but any stretch, more convenient than this. And leaving off the
ID config is more secure in some cases as well.

Scott