[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "D" == D K Smetters <smetters@parc.com> writes:
VPNC> At 3:01 PM -0400 5/20/03, Michael Richardson wrote:
>> >> What I do hear is that the VPN has to work for two parties who have
>> >> picked random CAs, and can't control what goes into the
>> >> certificate. That sure sounds like "rwo random parties" to me.
>>
VPNC> We hear differently. No one creating a VPN (as compared to
VPNC> opportunistic encryption) can pick random CAs. For VPNs, there is a
VPNC> shared trusted CA
>>
>> So, why is there a problem with telling the CA what needs to go into the
>> certificate?
D> You might not control the CA you are using. Even if you do, you might have
D> some constraints on what goes in the certificate imposed by some other piece of
D> (frequently broken) software that you also use that certificate with.
Okay, so we have to do silly things with IKE*v2* so that a piece of
software, installed in only one place, for which there are multiple
commercial and open-source implementations does not have to be replaced.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPsq8kIqHRg3pndX9AQH4gQQAquzlxZuTB1vTrfKTtqzRTPlPgdFGevJC
Hv8KVjFiK1iMi0qlGr0XtE/Z/YVQa8AxnT0oYnCNu5QU9ZKtxoXsmxvEfNgmYuEk
wHfF58ThC720MwNWTbCafnlNSizdy1mvGN2LJelHfxcGJPx7B55YWoiQZK7jRPMq
k1ddDWlalZ4=
=unIN
-----END PGP SIGNATURE-----