IETF Logo Mail Archive

Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names

Dave Mason <dmason@tis.com> Thu, 10 September 1998 22:02 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA25550 for ipsec-outgoing; Thu, 10 Sep 1998 18:02:09 -0400 (EDT)
Date: Thu, 10 Sep 1998 18:23:31 -0400
From: Dave Mason <dmason@tis.com>
Message-Id: <199809102223.SAA28761@rubicon.rv.tis.com>
To: ipsec@tis.com
Subject: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Can someone give me a real-life example of how having the subjectAltName
field closes a security hole that exists when the subjectAltName field
isn't present?

Does stating that the PKI MUST provide for the use of at least two public
key technologies (section 2.1) mean that IPSec devices MUST always have at
least two usage certificates with differing public key technologies?  If
not, why is having two public key technologies required for a PKI
cryptographically sound environment but not for an IPsec device
cryptographically sound environment?

In section 2.2 what is the basis for the seemingly arbitrary number
of 8 in the paragraph that starts "IPSec devices MUST support a signing
hierarchy ...".  I'm not really sure what is meant by this paragraph.
Does it mean you must be able support the simultaneous use of eight
or more root signing certificates or does it mean you must support
signing chains of length up to 8 or longer?

In the next paragraph, why must all the certificates have the same
key length?  Why can't the root signing cert be 2048 and the usage
cert be 1024?  Why can't the IPsec device have a 1024 cert that it
uses for most connections and a 2048 cert that it uses for connections
requiring a greater level of security?

Does the third paragraph of section 3.2 mean that IKE implementations
should not accept or send certificate chains via IKE?

-dmason

v2.35.0 | Report a Bug | By Email | System Status