[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: ipsec@lists.tislabs.com
Subject: Re: Confirm decision on identity handling.
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sun, 18 May 2003 23:19:45 -0400
In-reply-to: Your message of "Thu, 15 May 2003 08:13:26 PDT." <p0521061dbae95e654f37@[63.202.92.152]>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "VPNC" == VPNC  <Paul> writes:
    VPNC> At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
    >> Hmm... I see your point. I was speculating that this would mean
    >> that you didn't much care what was in the certificate.

    VPNC> You could have a security policy that ignored the identity in the 
    VPNC> cert ("allow an SA with these restrictions to anyone who has a cert 
    VPNC> from XYZRoot"), or one that was identity-based ("let 
    VPNC> chris@example.com make an SA").

    >> What would be the point of using an ID payload if you didn't
    >> care what was in it?

    VPNC> There isn't one.

  The parties involved are not the same. You guys keep flipping between
"VPN" and "two random parties" in your discussion. 

  a) If the initiator doesn't know who it is talking to, then it can't 
     know if the responder will look at the ID payload or the CERT,
     so it should include both.

  b) if the initiator *does* know who it is talking to (it is
     pre-configured to talk to it), then the ID payload is probably more
     useful than the certificate, since they two parties have probably
     spoken before!

  Consider SSH-style leap-of-faith security with parties that are on the
phone with each other. 

  You initiator with some ID, along with a CERT payload. Responder records
them both - perhaps, because it is signed by a CA that the responder knows
and trusts, only the DN (WHATEVER it might be). The responder then stores
enough info, and the admin of the responder then adds some policy to it.

  Is this realistic? I've watched the SSH IPsec products do exactly this.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPshNT4qHRg3pndX9AQFjzwQAvTiJqHgFTXqzTLQSldS/sBoQSjwZz4UY
2abZHWVtObSDas8efilJ4CNpavVEQ3A9ja0EtvfrEfhgAtL1KMxL4GBmVqGPquaU
0Mr88uf97vnKYEnY3Yh8sY15KsrwGHacei9KNmMD040dk4Dz/VKB/XpqiLcHo/YA
8lGeS4WC6dI=
=NDA6
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: IPSec Implementation
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread