[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: ipsec@lists.tislabs.com
Subject: Re: Confirm decision on identity handling.
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Tue, 20 May 2003 08:19:31 -0400
In-Reply-To: <200305190320.h4J3Jjqp019907@sandelman.ottawa.on.ca>
References: <200305190320.h4J3Jjqp019907@sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com

At 11:19 PM -0400 5/18/03, Michael Richardson wrote:
>     VPNC> You could have a security policy that ignored the identity in the
>     VPNC> cert ("allow an SA with these restrictions to anyone who has a cert
>     VPNC> from XYZRoot"), or one that was identity-based ("let
>     VPNC> chris@example.com make an SA").
>
>     >> What would be the point of using an ID payload if you didn't
>     >> care what was in it?
>
>     VPNC> There isn't one.
>
>   The parties involved are not the same. You guys keep flipping between
>"VPN" and "two random parties" in your discussion.

Sorry, but that's not true at all. I have consistently been talking 
about VPNs. (No surprise there.) In this thread, it seems like you're 
the one who is consistently speaking about "two random parties". (No 
surprise there, either.)

As shown above, a VPN with certificates where the receiving party 
doesn't know or care about the specific identity of the sending party 
can still let the sending be part of a VPN on the receiving party's 
system. These are not random parties.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Re: Confirm decision on identity handling.
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: IPSec Implementation
Next by Date: I-D ACTION:draft-ietf-ipsec-ikev2-algorithms-00.txt
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread