[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of revised identity changes
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
Stephen> could you elaborate a bit. I can see some circumstances where
Stephen> this would be true, but I'm not sure how common the problem
Stephen> would be. for exmaple, a cert with my e-mail address is a
Let me put it this way - I have yet to see a two node VPN that was built
with commercial VPN products actually use RSA authentication - the X.509 hill
is just too steep. This is *WITHOUT* any restrictions on certificate contents.
I've seen a lot of installations.
At the same time, the *ONLY* reason that the X.509 patches exist for
FreeS/WAN is pretty much to talk to Win32 implementations that can
barely handle self-signed certificates. They *CERTAINLY* aren't getting the
contents of the certificate request correct very often either.
Stephen> perfectly fine user ID cert for IPsec, as well as for s/mime,
Stephen> and it might be OK for authenticating me in an SSL/TLS context
Stephen> as well.
Can you tell me how I initiate to another system based upon an e-mail
address? Remember, since we eliminated the mapping, you can't insert anything
that says:
CN=kent@bbn.com 192.160.6.91
so, how do you set up *two* systems that can talk to each other?
Where are they? No, there is no configuration file, this proposal eliminates
the need for it.... it might be wrong.
>> While that may be the desired effect for people with real PKI
>> infrastructure and real PKI clue, for the people who just want to
>> connect two LANs with a VPN, a self-signed certificate generated by
>> openssl is *just fine*.
>>
>> If they have to get right goop in place to use certificates, even more
>> people will want to continue using pre-shared keys.
>>
>> Now, if you, instead, are willing to say:
>>
>> All implementations MUST support RAW RSA key formats, providing a way
>> to load/save them interactively (i.e. in a UI or CLI) in RFC3110
>> format.
>>
>> Then, you can do whatever you want with certificates. But, up to this
>> point, even doing self-signed X.509 (I wish they'd say "RFC2459"
>> certificates) is hard for many products, and people therefore resort
>> to pre-shared keys.
>>
Stephen> I too don't want to promote use of pre-shared keys. But, if I
Stephen> have a RAW RSA format, what is the mechanism by which this
Stephen> identifies me? It is not one of the ID types supported by the
It identifies you because I said it did. Stop thinking about million node
VPNs for a minute.
Think about Bob's dinner's two franchises. He buys two D-Link IPsec/DSL
boxes. These are like ~$200 each. He hires some kid to hook them up into a
VPN. He plugs his Cisco IP phones in, and his cash registers in.
Stephen> SPD. If you're saying that we need another mapping table from
Stephen> key to ID, then I have the same concerns re getting this mapping
Stephen> wrong.
Let's go back here a moment.
If you make it hard, then people will use PSK. As such, you lose.
If you want to kill public key use of IPsec with PKI, this proposal is a
way to do it. Go see EAP thread, cause we will need it.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPgYKb4qHRg3pndX9AQFmdgP+PAgq1IDFN9pdIDeB+pbNjY61PzEr0mkf
lvoPulAPpTF6SH9u3iJl9kWIJv1kjSxRCMEwBXnoYud40SHJeHtqHy9152/JhhkE
bUHb/OydRK7ZehlfRReORT+24HJUQx+oKVvj6kVf15onFi/3ydCIBeDnkc0oqS/v
FEs3S/1zr2c=
=mXBz
-----END PGP SIGNATURE-----