Re: Confirm decision on identity handling.

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Scott" == Scott G Kelly <scott@airespace.com> writes:
    Scott> In terms of convenience, I can't think of a more convenient way to
    Scott> configure a cert-authenticated tunnel for an ipsec client than by
    Scott> saying "use this cert" and leaving it at that. Having to select a
    Scott> cert *and* an 

  I agree with you here.
  But, I think that you still want to drop the IDi payload here.
 
  Can we add something like the hash of the public key (or cert) here as the
ID? 

  That can be derived automatically by the client, and it provides a hook
by which a server might be able to lookup the right key, should it find the
certificate itself not to its liking.

  I really do not want to make the IDi optional.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPsQJeoqHRg3pndX9AQGYTgQAqzIns2gt5R7dw9t9Cp5nmAFedIzDZ2rz
BZFYtJIyJfCzPx+KDUXtmmJPxFOLB4YmWl7D39d3LrKsslS5gx1Dsk53t3BliAy+
PV8TQLr+Opg+AbKPv/HjgYT0dFMptmat8AZ9b6R6dW+lA8tPtOxe9tuHsrkZrDAE
Q5x3ZYfuwwU=
=3rx1
-----END PGP SIGNATURE-----