RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Rodney Thayer <rodney@tillerman.nu> Fri, 11 September 1998 01:17 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id VAA26055 for ipsec-outgoing; Thu, 10 Sep 1998 21:17:09 -0400 (EDT)
Message-Id: <199809110030.UAA03832@2gn.com>
X-Sender: rodney@module-one.tillerman.nu
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.2
Date: Thu, 10 Sep 1998 21:32:41 -0400
To: Greg Carter <greg.carter@entrust.com>
From: Rodney Thayer <rodney@tillerman.nu>
Subject: RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Cc: ipsec@tis.com
In-Reply-To: <D789F71F24B4D111955D00A0C99B4F50BEA578@sothmxs01.entrust.c om>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
So this means that what we are trusting is that the CA signed a certificate which represented some identification that the CA found acceptable. It seems to me that all this "but the CA said it was ok" logic ignores the possibility that the private key might be stolen. I am not arguing with the fact the CA said it was ok, I am thinking about the case where the situation has changed, and, for example, the private key got stolen (i.e. the router was stolen and is now sitting on some other network with a different IP address.) At 11:37 AM 9/10/98 -0400, you wrote: > >> but you're saying ignore the legitimacy of the identities relative to the >> rest of the world... >> >> >Hi Rodney, >If the rest of the world is not secure then yes. You trust that your CA >only allowed valid names, whether or not those names can be resolved via DNS >(or whatever) is not important. What is important is that your policy >database contain an entry for the name. If it does then apply the rules >found. You know that the other end is who they say they are because your CA >allowed the identity in the certificate. You allow the connection because >you found relevant policy for that identity. > >If the name can be resolved then that may be a good sanity check, but unless >its secured it hasn't gained you much. > >So I am in agreement with Tero. >---- >Greg Carter, Entrust Technologies >greg.carter@entrust.com >
- comments on draft-ietf-ipsec-pki-req-01.txt - alt… Moshe Litvin
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Michael C. Richardson
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Tero Kivinen
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Joern Sierwald
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Tero Kivinen
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Steven M. Bellovin
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Moshe Litvin
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Dave Mason
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- RE: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Michael C. Richardson
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… bmanning
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Dave Mason
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rizwan Mallal
- RE: comments on draft-ietf-ipsec-pki-req-01.txt -… Dave Mason
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… C. Harald Koch
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Michael C. Richardson
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Dave Mason
- Re: comments on draft-ietf-ipsec-pki-req-01.txt -… Rodney Thayer