[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Michael Richardson wrote:
>>>>>>"VPNC" == VPNC <Paul> writes:
>
> VPNC> At 3:01 PM -0400 5/20/03, Michael Richardson wrote:
> >> What I do hear is that the VPN has to work for two parties who have
> >> picked random CAs, and can't control what goes into the
> >> certificate. That sure sounds like "rwo random parties" to me.
>
> VPNC> We hear differently. No one creating a VPN (as compared to
> VPNC> opportunistic encryption) can pick random CAs. For VPNs, there is a
> VPNC> shared trusted CA
>
> So, why is there a problem with telling the CA what needs to go into the
> certificate?
>
You might not control the CA you are using. Even if you do, you might have
some constraints on what goes in the certificate imposed by some other piece of
(frequently broken) software that you also use that certificate with. Or what
you put in the certificates to work with your previous VPN software might not
work with your shiny new VPN software, and you might not want to reissue all
your certs that still have a certain amount of time left on them. Or you might
not want to put ugly things into your current certificates to cope with the
vagaries of the software you currently use with them, in the hopes you'll be
able to get better software later. (Horror stories deleted in the interests of
space.)
--Diana
====================================
D. K. Smetters
Member of the Research Staff
Palo Alto Research Center