RE: comments on draft-ietf-ipsec-pki-req-01.txt

RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate name s

Greg Carter <greg.carter@entrust.com> Thu, 10 September 1998 15:25 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA24088 for ipsec-outgoing; Thu, 10 Sep 1998 11:25:40 -0400 (EDT)
Message-ID: <D789F71F24B4D111955D00A0C99B4F50BEA578@sothmxs01.entrust.com>
From: Greg Carter <greg.carter@entrust.com>
To: Tero Kivinen <kivinen@ssh.fi>, 'Rodney Thayer' <rodney@tillerman.nu>
Cc: ipsec@tis.com
Subject: RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate name s
Date: Thu, 10 Sep 1998 11:37:23 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

> but you're saying ignore the legitimacy of the identities relative to the
> rest of the world...
> 
> 
Hi Rodney,
If the rest of the world is not secure then yes.  You trust that your CA
only allowed valid names, whether or not those names can be resolved via DNS
(or whatever) is not important.  What is important is that your policy
database contain an entry for the name.  If it does then apply the rules
found.  You know that the other end is who they say they are because your CA
allowed the identity in the certificate.  You allow the connection because
you found relevant policy for that identity.

If the name can be resolved then that may be a good sanity check, but unless
its secured it hasn't gained you much.

So I am in agreement with Tero.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com

RE: comments on draft-ietf-ipsec-pki-req-01.txt -… Greg Carter