Re: Confirm decision on identity handling.
Brian Korver <briank@briank.com> Fri, 11 April 2003 00:20 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA12985 for <ipsec-archive@lists.ietf.org>; Thu, 10 Apr 2003 20:20:18 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id SAA06849 Thu, 10 Apr 2003 18:40:19 -0400 (EDT)
User-Agent: Microsoft-Entourage/10.0.0.1331
Date: Thu, 10 Apr 2003 10:58:33 -0700
Subject: Re: Confirm decision on identity handling.
From: Brian Korver <briank@briank.com>
To: Theodore Ts'o <tytso@mit.edu>, ipsec@lists.tislabs.com
Message-ID: <BABAFED9.4F81%briank@briank.com>
In-Reply-To: <E193MxO-0000c8-00@think.thunk.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Content-Transfer-Encoding: 7bit
Ted, The proposed text to add sounds good to me. - brian briank@briank.com On 4/9/03 2:18 PM, "Theodore Ts'o" <tytso@mit.edu> wrote: > > At the San Jose IETF, the IPSEC working group came to a rough > consensus (confirmed by a straw poll) to solve an interoperability > problem as follows: (quoting from the minutes) > >> Comment: Deal with this in 2401bis. Short term solution is to say that what >> goes in ID v CERT payload is a local matter for now. It need not match. >> >> Comment: SO we will put in sentence that ID payload is for policy lookup and >> does not need to match anything in CERT payload. Both fields may be used >> for access control decisions, but need not be correlated. 2-1 in favor. > > The consensus was relatively rough, and there was a desire expressed > by some to continue the discussion on the list. > > In order to move the discussion forward, we propose the following > addition to section 3.5 of the ikev2-06 as meeting the spirit of the > consensus which was developed in San Francisco. Append to the first > paragraph, which begins: > > The Identification Payload, denoted ID in this memo, allows peers to > assert an identify to one another. The ID Payload names the identity > to be authenticated with the AUTH payload. > > .. the following text: > > ... This identity is used for policy lookup, but does not > necessarily have to match anything in the CERT payload; both fields > may be used by an implementation to perform access control > decisions. > > Discussion: > > The implication of this change, as was discussed in San Francisco, is > that it gives freedom to implementations to make more sophisticated > access control policies, where the responder might use the identity in > the ID payload to look up an access control list, and match the > subject name in the certificate against that ACL, for example. This > can be advantageous in that do not need to dictate the form of the > subject names in the certificate, which could promote the reuse of > certificates across multiple applications. The downside is that the > initiator must now allow the configuration of two pieces of > information; there is an additional configuration "knob" which must be > set correct in order for two peers to successfully ocmmunicate. > > There are other alternatives, which have been discussed in the past. > Two self-consistent and workable alternatives are presented here: > > 2) Require that that IPSEC strictly define the types of X.509 > certificate subject names that would be accepted, and precisely define > the matching rules of the identity payload. This in effect would > predefine the access control policies in the system. One mechanism > for doing so can be found in section 3.2 of > draft-ietf-ipsec-pki-profile-02.txt. > > 3) Specify that the ID payload must not be sent and/or is ignored when > using certificates to authenticate. In this case, the Certificate > subject name is used to lookup the policy information associated with > the SA instead of the contents identity payload. (This is essentially > very similar to a proposla contained in Paul Hoffman's > revised-identity I-D.) > > These alternatives have tradeoffs: to differing degress, they > essentially limit flexibility in the choice of certificate names and > the name (identity) used to look up policy information. In the first > case, the choice of the name found in certificate is limited to > something which passes the matching rule defined in the pki-profile > I-D when the subject name or the subject alt name is matched against > the contents of the identity payload. In the second case, the name > used to look up the SA policy is constrained to be exactly the subject > name in the certificate, or perhaps the certificate itself. > > The latter alternative in particular may impact some implementations > significantly, by changing the key used to look up and manage SA > policy information. > > Decision path: > > At the San Francisco meeting, there was clear (but rough) consensus to > explicitly specify that the contents of the ID payload do not have to > match the contents of the CERT payload, and which will require that > initiators have sufficient configuration controls to set both the ID and > Cert payloads. Proposed text which implements this rough conensus has > been included in this messange. > > Since the straw poll indicated that of the people in the room at San > Francisco, that people were 2-1 in favor of this choice, and this > chice should be considered the privileged or "default" choice. > However, especially given the roughness of the consensus there, this > decision must be confirmed on the mailing list. People who believe > that one of the above alternatives, or some other alternative, should > be adopted instead, are encouraged to speak up. >
- Confirm decision on identity handling. Theodore Ts'o
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. jpickering@creeksidenet.com
- Re: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Brian Korver
- Re: Confirm decision on identity handling. Ravi
- Re: Confirm decision on identity handling. Theodore Ts'o
- Re: Confirm decision on identity handling. Ravi
- Re: Confirm decision on identity handling. Niklas Hallqvist
- Re: Confirm decision on identity handling. jpickering@creeksidenet.com
- Re: Confirm decision on identity handling. Antonio Forzieri
- Re: Confirm decision on identity handling. Stephen Kent
- RE: Confirm decision on identity handling. Gregory Lebovitz
- RE: Confirm decision on identity handling. Gregory Lebovitz
- RE: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Richardson
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. Paul Hoffman / VPNC
- RE: Confirm decision on identity handling. jknowles
- RE: Confirm decision on identity handling. jknowles
- RE: Confirm decision on identity handling. Gregory Lebovitz
- RE: Confirm decision on identity handling. Gregory Lebovitz
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. David Wierbowski
- Re: Confirm decision on identity handling. Michael Richardson
- RE: Confirm decision on identity handling. jknowles
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. David Wierbowski
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- RE: Confirm decision on identity handling. Gregory Lebovitz
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Francis Dupont
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- RE: Confirm decision on identity handling. Gregory Lebovitz
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Ravi
- [Fwd: Confirm decision on identity handling.] Scott G. Kelly
- Re: Confirm decision on identity handling. Uri Blumenthal
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Uri Blumenthal
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- some thoughts on identity handling Stephen Kent
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: some thoughts on identity handling Michael Richardson
- Re: [Fwd: Confirm decision on identity handling.] Ravi
- Re: Confirm decision on identity handling. Charlie_Kaufman
- Re: Confirm decision on identity handling. Charlie_Kaufman
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Greg Troxel
- Re: Confirm decision on identity handling. Paul Koning
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. D. K. Smetters
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. D. K. Smetters