Old discussion - subject - Me tarzan and me jane

[vamsi <vamsi@intotoinc.com>]

Hi,
    I went through messages posted on above subject, but did not find
    any conclusion on that.

    IPSEC implementations, today,  compare ID data in received
    ID payload with the ID information in Peer certificate and if no 
certificate
    ID matches with the ID in ID payload, the transaction is declined.
    There was some discussion in Mar/Apr 2003 time frame, about making this 
as local
    matter, but it is creating inter operability problems.

    I see somebody  indicating that it is not possible to extract the ID from
    certificate and that is why check should be made local matter. I hope 
this can't be
    justification and if that is so, then impersonation is possible. 
Implementations,
    at minimum, must ensure that one of IDs in certificate match (full or 
partial)
    with the ID configured locally in IKE policy.

    I see one post indicating that, the sender may not know the ID that 
needs to be
    used while sending the ID in ID payload, as certificate may be having 
multiple
    IDs in it. This may be true, but in my view, any of the IDs can be sent 
in ID
    payload.  Receiver of ID payload can ensure that, the received ID is 
one of
    the IDs in the certificate.

     In my view, we should mandate
       - Sender of ID payload  MUST send any one of the IDs in his/her 
certificate.
         This ID should be one that is used by the receiver to identify for 
giving
          appropriate privileges.
       - Receiver of ID payload  MUST ensure that
              -- Received ID is one of IDs in the peer certificate
              -- Received ID matches (full or partial) with locally 
configured 'Accepted Remote IDs'.


Thanks
Vamsi
CTO Office
www.intoto.com