Re: Remaining open issues for RFC-2401bis

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


(mostly, "What Tero said")

>>>>> "Tero" == Tero Kivinen <kivinen@iki.fi> writes:
    Tero> We already have rfc822 address for user account name, why
    Tero> would we need separate account name id? The ID_KEY_ID is also
    Tero> defined to be something that is NOT matched against anything
    Tero> in the certificates etc, it is only matched against the built
    Tero> in policy (i.e. mostly usefull in shared-key
    Tero> authentication). In those case the bit-comparison is much
    Tero> better.

  The reason I can imagine (now, after reading your message) is because
the certificate (not RSA key) doesn't have that rfc822 address in it,
and the gateway isn't cable of having policy indexed by anything not in
the certificate unless it is ID_KEY_ID.  
  (I think such a gateway is totally broken, though)

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQGCRqoqHRg3pndX9AQEs/gQAv1bK+z2t/Yzb+BmbsH63OHfyMZV8QHxp
OlwP4460kde43EPrO377nmEuaMHcPouXRWvNgTiFKz3LA+qZwjJk0Xet7LrYVYgc
6DNvTL5PfbE3SJjuSptmTpg7xlfwtGyc74IIAXy315fwBRggDmf6iHxRHACshYrE
b2QCBZZ94uI=
=it/s
-----END PGP SIGNATURE-----