[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 89 -- Remove the selector "name"

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: 2401bis Issue # 89 -- Remove the selector "name"
From: "Scott G. Kelly" <scott@airespace.com>
Date: Thu, 23 Oct 2003 10:03:25 -0700
CC: Karen Seo <kseo@bbn.com>, ipsec mailingList <ipsec@lists.tislabs.com>
In-Reply-To: <p0600205dbbbdb6c8eea7@[63.202.92.152]>
Organization: Airespace
References: <p05200facbbbcf436f1dd@[128.89.89.115]> <3F97FA6A.7000207@airespace.com> <p0600205dbbbdb6c8eea7@[63.202.92.152]>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Hi Paul,

First, let's be clear: some folks use fqdn as a psk selector in remote 
access. This is distinct from the DN/GN question, and the two should not 
(necessarily) be lumped into one bin.

As for DN/GN, the fact that some folks choose not to use this does not 
mean it is not useful, or that it should be eliminated. Why not leave it 
in, so that people who choose to use it have that option? Otherwise, 
those wanting such functionality will be forced to be creative, and this 
results in less rather than more interoperability.

I think the argument you make below actually suggests the need for a new 
name type (i.e. issuerName), rather than making the case for removing 
DN/GN. The bottom line is that we need non-numeric ways to identify 
peers. How will we do that if these ID types are eliminated?

Scott

Paul Hoffman / VPNC wrote:
> At 8:57 AM -0700 10/23/03, Scott G. Kelly wrote:
> 
>> The name selector is often used for remote access, and maybe for other 
>> applications. I know of several ipsec implementations which use fqdn 
>> for remote access policy selection, and without DN, how do we apply 
>> access controls based on certs?
> 
> 
> This has been debated many times before. Some systems have policies that 
> allow any cert that is signed by the trusted CA to have access. That is, 
> the granularity is based on the trusted root, not on the identity. This 
> means that a sysadmin doesn't have to list a zillion users, all of whom 
> have identical access rights; it also means that the user has access as 
> soon as they have their cert, without interaction from the sysadmin who 
> is just going to duplicate what they did for the last user.
> 
> Names are useful for systems that differentiate by user, but they kill 
> the ability to differentiate by certifier.
> 
> --Paul Hoffman, Director
> --VPN Consortium

References:
- 2401bis Issue # 89 -- Remove the selector "name"
  - From: Karen Seo <kseo@bbn.com>
- Re: 2401bis Issue # 89 -- Remove the selector "name"
  - From: "Scott G. Kelly" <scott@airespace.com>
- Re: 2401bis Issue # 89 -- Remove the selector "name"
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: 2401bis Issue # 89 -- Remove the selector "name"
Next by Date: Re: EAP requestor for Initiator
Prev by thread: Re: 2401bis Issue # 89 -- Remove the selector "name"
Next by thread: Re: 2401bis Issue # 89 -- Remove the selector "name"
Index(es):
- Date
- Thread