[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue # 89 -- Remove the selector "name"
The name selector is often used for remote access, and maybe for other
applications. I know of several ipsec implementations which use fqdn for
remote access policy selection, and without DN, how do we apply access
controls based on certs?
Scott
Karen Seo wrote:
> Folks,
>
> Here's a description and proposed approach for:
>
> IPsec Issue #: 89
>
> Title: Remove the selector "name"
>
> Description
> ===========
> In the interest of simplifying things, we propose to remove the selector
> "Name". Is anyone using this selector?
>
> Proposed approach
> =================
> Remove text such as the following:
>
> [From Section 4.4.2 "Selectors"]
>
> "- Name: There are 2 cases (Note that these name forms are
> supported in the IPsec DOI.)
> 1. User ID
> a. a fully qualified user name string (DNS),
> e.g., mozart@foo.bar.com
> b. X.500 distinguished name, e.g., C = US,
> SP = MA, O = GTE Internetworking, CN =
> Stephen T. Kent.
> 2. System name (host, security gateway, etc.)
> a. a fully qualified DNS name, e.g.,
> foo.bar.com
> b. X.500 distinguished name
> c. X.500 general name
>
> NOTE: One of the possible values of this selector is
> "OPAQUE".
>
> [REQUIRED for the following cases. Note that support
> for name forms other than addresses is not required for
> manually keyed SAs.
> o User ID
> - native host implementations
> - BITW and BITS implementations acting as HOSTS
> with only one user
> - security gateway implementations for INBOUND
> processing.
> o System names -- all implementations]"
>
> Thank you,
> Karen
>