Re: Confirm decision on identity handling.

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "D" == D K Smetters <smetters@parc.com> writes:
    VPNC> At 3:01 PM -0400 5/20/03, Michael Richardson wrote:
    >> >> What I do hear is that the VPN has to work for two parties who have
    >> >> picked random CAs, and can't control what goes into the
    >> >> certificate. That sure sounds like "rwo random parties" to me.
    >> 
    VPNC> We hear differently. No one creating a VPN (as compared to 
    VPNC> opportunistic encryption) can pick random CAs. For VPNs, there is a 
    VPNC> shared trusted CA
    >> 
    >> So, why is there a problem with telling the CA what needs to go into the
    >> certificate?

    D> You might not control the CA you are using.  Even if you do, you might have
    D> some constraints on what goes in the certificate imposed by some other piece of
    D> (frequently broken) software that you also use that certificate with.

  Okay, so we have to do silly things with IKE*v2* so that a piece of
software, installed in only one place, for which there are multiple
commercial and open-source implementations does not have to be replaced.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPsq8kIqHRg3pndX9AQH4gQQAquzlxZuTB1vTrfKTtqzRTPlPgdFGevJC
Hv8KVjFiK1iMi0qlGr0XtE/Z/YVQa8AxnT0oYnCNu5QU9ZKtxoXsmxvEfNgmYuEk
wHfF58ThC720MwNWTbCafnlNSizdy1mvGN2LJelHfxcGJPx7B55YWoiQZK7jRPMq
k1ddDWlalZ4=
=unIN
-----END PGP SIGNATURE-----