[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some thoughts on identity handling

To: ipsec@lists.tislabs.com
Subject: Re: some thoughts on identity handling
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 16 May 2003 15:41:08 -0400
In-reply-to: Your message of "Fri, 16 May 2003 14:05:54 EDT." <p0510030ebae9b48bf323@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
    Stephen> communicate and if so, with what constraints. (This may be in 
    Stephen> conflict with the opportunistic encryption model of
    Stephen> operation. If so,  
    Stephen> that may be a source of confusion, i.e., we don't agree on the 
    Stephen> problem we are trying to solve.  However, I don't know if this
    Stephen> is an  
    Stephen> issue yet and I'll defer to Mike to say what he thinks on this
    Stephen> topic,  
    Stephen> relative to my notes below.)

  We have specifically avoided PKIX certificates, preferring raw keys
in DNS reverse map, authenticated with SIG records for *precisely* the
problems that have come up. Solveable in theory, a disaster in practice.

    Stephen> "valid cert" I mean an X.509 cert that can be validated relative
    Stephen> to one or more pre-configured trust anchors in the
    Stephen> responder. Recall  
  
  One major deployment issue in IKEv1 with certificates is that numerous
vendors making configuring these "trust anchors" essentially impossible 
for the admin who owns the box, and they have very poorly documented what
they expect to be in the certificate.

    Stephen> 	2. when a peer presents a valid cert, one could allow the 
    Stephen> peer to assert any ID against any SPD entry that is linked to the 
    Stephen> cert. the linkage could be direct, e.g., a pointer to the cert in 
    Stephen> each SPD entry to which the cert applies, or it might be indirect, 
  This has always seemed like the best way to me.
  How do you link to the cert is a question, but there are many different
ways. I still think that this has the same problem that #3 has - it is
just now under the control of the gateway administrator.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPsU+y4qHRg3pndX9AQHgAAQAv1e7uAWoQAAERC3ndUpeA1e/2weUJfoV
koNdbtaZXTxXN3hCwLHNZATFOxVtNaH+1A2DN/GbUgxTosOLZ3JQKZz0789ROwMn
NtlgpX4JqAV74Bje499+9wuGmuNnRxZagq47KQkFHHu+EDxpPfD0rLG9ijT0w3G5
Su7YKp2Gfmc=
=pSsr
-----END PGP SIGNATURE-----

References:
- some thoughts on identity handling
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Peer liveliness
Prev by thread: some thoughts on identity handling
Next by thread: RE: Confirm decision on identity handling.
Index(es):
- Date
- Thread