Re: PKIX vs draft-ietf-ipsec-pki-req-02.txt

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Mark" == Mark Shuttleworth <marks@thawte.com> writes:
    Mark> I'm certainly in agreement with you about overloading. But I think
    Mark> that organizations will want to build SIMPLE rules to differentiate
    Mark> between routers, gateways and end-users. They should be able to do
    Mark> this JUST by looking at the cert, and not by referring to a
    Mark> directory or other source (otherwise you add another fragile link
    Mark> in the chain).

  So, sign these three things with different CAs.
  Better yet, attach attribute authority or SPKI certs to the plain
certificate. 

    Mark> For example, in many of the current implementations I've seen you
    Mark> have to explicitly manually trust the certificates of each of the
    Mark> devices you want to talk to. This is a configuration nightmare in
    Mark> larger-scale deployments. Each device needs to be manually told

  That is why you want AA or SPKI certificates.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [