[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: some thoughts on identity handling
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
Stephen> communicate and if so, with what constraints. (This may be in
Stephen> conflict with the opportunistic encryption model of
Stephen> operation. If so,
Stephen> that may be a source of confusion, i.e., we don't agree on the
Stephen> problem we are trying to solve. However, I don't know if this
Stephen> is an
Stephen> issue yet and I'll defer to Mike to say what he thinks on this
Stephen> topic,
Stephen> relative to my notes below.)
We have specifically avoided PKIX certificates, preferring raw keys
in DNS reverse map, authenticated with SIG records for *precisely* the
problems that have come up. Solveable in theory, a disaster in practice.
Stephen> "valid cert" I mean an X.509 cert that can be validated relative
Stephen> to one or more pre-configured trust anchors in the
Stephen> responder. Recall
One major deployment issue in IKEv1 with certificates is that numerous
vendors making configuring these "trust anchors" essentially impossible
for the admin who owns the box, and they have very poorly documented what
they expect to be in the certificate.
Stephen> 2. when a peer presents a valid cert, one could allow the
Stephen> peer to assert any ID against any SPD entry that is linked to the
Stephen> cert. the linkage could be direct, e.g., a pointer to the cert in
Stephen> each SPD entry to which the cert applies, or it might be indirect,
This has always seemed like the best way to me.
How do you link to the cert is a question, but there are many different
ways. I still think that this has the same problem that #3 has - it is
just now under the control of the gateway administrator.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPsU+y4qHRg3pndX9AQHgAAQAv1e7uAWoQAAERC3ndUpeA1e/2weUJfoV
koNdbtaZXTxXN3hCwLHNZATFOxVtNaH+1A2DN/GbUgxTosOLZ3JQKZz0789ROwMn
NtlgpX4JqAV74Bje499+9wuGmuNnRxZagq47KQkFHHu+EDxpPfD0rLG9ijT0w3G5
Su7YKp2Gfmc=
=pSsr
-----END PGP SIGNATURE-----