IETF Logo Mail Archive

Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names

Tero Kivinen <kivinen@ssh.fi> Thu, 10 September 1998 12:43 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id IAA23276 for ipsec-outgoing; Thu, 10 Sep 1998 08:43:35 -0400 (EDT)
Date: Thu, 10 Sep 1998 16:00:37 +0300
Message-Id: <199809101300.QAA11201@torni.ssh.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Tero Kivinen <kivinen@ssh.fi>
To: Rodney Thayer <rodney@tillerman.nu>
Cc: ipsec@tis.com
Subject: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
In-Reply-To: <199809101109.HAA00656@2gn.com>
References: <199809092123.RAA30098@2gn.com> <35F56A73.E0376BE8@cale.checkpoint.com> <199809101154.OAA09700@torni.ssh.fi> <199809101109.HAA00656@2gn.com>
X-Mailer: VM 6.34 under Emacs 19.34.2
Organization: SSH Communications Security Oy
X-Edit-Time: 8 min
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Rodney Thayer writes:
> [this draft we keep talking about is going through the ietf draft papermill as we speak... a preliminary version is at <http://wg.unitran.com/ietf-ipsec>]
> 
> At 02:54 PM 9/10/98 +0300, you wrote:
> >Rodney Thayer writes:
> >> >> the IKE negotiation in progress.  For dNSName the name must be
> >> >> retrived from the DNS to validate it is valid for the IP address
> >> >> which was the source of the certificate, if known, and for the
> >> >> IKE negotiation in progress.  For rFC822Name, the email address
> >
> >I think that there MUST not be any binding with the identity and the
> >ip address of the source packet. The packets can come in from any
> >source ip address, the identity payload contains the real identity
> >information that should be used to first find the certificate (there
> >is NO need to do any dns queries etc to map FQDN to ip address, if the
> >identity payload is fqdn then the certificate MUST contain the same
> >dns name in the dNSName).
> So a random packet from an illegitimate address identified with a
> certificate from example.com (a defined-to-be-invalid domain) is
> fine?

Yes, provided that the other end also have the private key of that
public key in the certificate AND the certificate is signed by the CA
I trust AND my policy database have entry that example.com is valid
host to connect. 

> So the actual identity and the sanity of that identity are irrelevant?

Identity is just a key to be used when searching certificate and the
entries from the policy database. The actual value doesn't matter. If
my policy database says that the identity is valid and it should be
allowed to connect, the sanity of it is not a issue. How are you going
to check sanity of key-id? You just use that key id as a key to your
policy database and map it to some policy, and some authentication
information. 

> but you're saying ignore the legitimacy of the identities relative
> to the rest of the world... 

I am saying, that in most cases you should not trust only the
certificate to give access to your host, you also should have some
kind of policy statement (authorization) saying if that yes the owner
of that certificate is authorized to do something.

For some cases it is ok just to allow anybody in who can provide the
certificate signed by verisign, but at least in VPN boxes you propably
dont want to use that kind of policy. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

v2.37.1 | Report a Bug | By Email | System Status