Re: Confirm decision on identity handling.
Ravi <ravivsn@roc.co.in> Fri, 11 April 2003 14:44 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA16096 for <ipsec-archive@lists.ietf.org>; Fri, 11 Apr 2003 10:44:30 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id IAA09318 Fri, 11 Apr 2003 08:51:04 -0400 (EDT)
Message-ID: <3E963C5F.7040202@roc.co.in>
Date: Fri, 11 Apr 2003 09:24:07 +0530
From: Ravi <ravivsn@roc.co.in>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Brian Korver <briank@briank.com>
CC: Theodore Ts'o <tytso@mit.edu>, ipsec@lists.tislabs.com
Subject: Re: Confirm decision on identity handling.
References: <BABAFED9.4F81%briank@briank.com>
Content-Type: multipart/alternative; boundary="------------020507000700030203020206"
X-Virus-Scanned: by AMaViS perl-11
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hi Ted, This proposal looks OK to me too. As mentioned, it requires configuration of both payload ID information and Certicate ID information to be present in the configuration. -Ravi Brian Korver wrote: >Ted, > >The proposed text to add sounds good to me. > >- brian >briank@briank.com > > >On 4/9/03 2:18 PM, "Theodore Ts'o" <tytso@mit.edu> wrote: > > >>At the San Jose IETF, the IPSEC working group came to a rough >>consensus (confirmed by a straw poll) to solve an interoperability >>problem as follows: (quoting from the minutes) >> >> >> >>>Comment: Deal with this in 2401bis. Short term solution is to say that what >>>goes in ID v CERT payload is a local matter for now. It need not match. >>> >>>Comment: SO we will put in sentence that ID payload is for policy lookup and >>>does not need to match anything in CERT payload. Both fields may be used >>>for access control decisions, but need not be correlated. 2-1 in favor. >>> >>> >>The consensus was relatively rough, and there was a desire expressed >>by some to continue the discussion on the list. >> >>In order to move the discussion forward, we propose the following >>addition to section 3.5 of the ikev2-06 as meeting the spirit of the >>consensus which was developed in San Francisco. Append to the first >>paragraph, which begins: >> >> The Identification Payload, denoted ID in this memo, allows peers to >> assert an identify to one another. The ID Payload names the identity >> to be authenticated with the AUTH payload. >> >>.. the following text: >> >> ... This identity is used for policy lookup, but does not >> necessarily have to match anything in the CERT payload; both fields >> may be used by an implementation to perform access control >> decisions. >> >>Discussion: >> >>The implication of this change, as was discussed in San Francisco, is >>that it gives freedom to implementations to make more sophisticated >>access control policies, where the responder might use the identity in >>the ID payload to look up an access control list, and match the >>subject name in the certificate against that ACL, for example. This >>can be advantageous in that do not need to dictate the form of the >>subject names in the certificate, which could promote the reuse of >>certificates across multiple applications. The downside is that the >>initiator must now allow the configuration of two pieces of >>information; there is an additional configuration "knob" which must be >>set correct in order for two peers to successfully ocmmunicate. >> >>There are other alternatives, which have been discussed in the past. >>Two self-consistent and workable alternatives are presented here: >> >>2) Require that that IPSEC strictly define the types of X.509 >>certificate subject names that would be accepted, and precisely define >>the matching rules of the identity payload. This in effect would >>predefine the access control policies in the system. One mechanism >>for doing so can be found in section 3.2 of >>draft-ietf-ipsec-pki-profile-02.txt. >> >>3) Specify that the ID payload must not be sent and/or is ignored when >>using certificates to authenticate. In this case, the Certificate >>subject name is used to lookup the policy information associated with >>the SA instead of the contents identity payload. (This is essentially >>very similar to a proposla contained in Paul Hoffman's >>revised-identity I-D.) >> >>These alternatives have tradeoffs: to differing degress, they >>essentially limit flexibility in the choice of certificate names and >>the name (identity) used to look up policy information. In the first >>case, the choice of the name found in certificate is limited to >>something which passes the matching rule defined in the pki-profile >>I-D when the subject name or the subject alt name is matched against >>the contents of the identity payload. In the second case, the name >>used to look up the SA policy is constrained to be exactly the subject >>name in the certificate, or perhaps the certificate itself. >> >>The latter alternative in particular may impact some implementations >>significantly, by changing the key used to look up and manage SA >>policy information. >> >>Decision path: >> >>At the San Francisco meeting, there was clear (but rough) consensus to >>explicitly specify that the contents of the ID payload do not have to >>match the contents of the CERT payload, and which will require that >>initiators have sufficient configuration controls to set both the ID and >>Cert payloads. Proposed text which implements this rough conensus has >>been included in this messange. >> >>Since the straw poll indicated that of the people in the room at San >>Francisco, that people were 2-1 in favor of this choice, and this >>chice should be considered the privileged or "default" choice. >>However, especially given the roughness of the consensus there, this >>decision must be confirmed on the mailing list. People who believe >>that one of the above alternatives, or some other alternative, should >>be adopted instead, are encouraged to speak up. >> >> >> > > > -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ------------------------------------------------------------------------ Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page <http://www.roc.co.in>
- Confirm decision on identity handling. Theodore Ts'o
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. jpickering@creeksidenet.com
- Re: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Brian Korver
- Re: Confirm decision on identity handling. Ravi
- Re: Confirm decision on identity handling. Theodore Ts'o
- Re: Confirm decision on identity handling. Ravi
- Re: Confirm decision on identity handling. Niklas Hallqvist
- Re: Confirm decision on identity handling. jpickering@creeksidenet.com
- Re: Confirm decision on identity handling. Antonio Forzieri
- Re: Confirm decision on identity handling. Stephen Kent
- RE: Confirm decision on identity handling. Gregory Lebovitz
- RE: Confirm decision on identity handling. Gregory Lebovitz
- RE: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Richardson
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. Paul Hoffman / VPNC
- RE: Confirm decision on identity handling. jknowles
- RE: Confirm decision on identity handling. jknowles
- RE: Confirm decision on identity handling. Gregory Lebovitz
- RE: Confirm decision on identity handling. Gregory Lebovitz
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. David Wierbowski
- Re: Confirm decision on identity handling. Michael Richardson
- RE: Confirm decision on identity handling. jknowles
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. David Wierbowski
- Re: Confirm decision on identity handling. Scott G. Kelly
- RE: Confirm decision on identity handling. jknowles
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Andrew Krywaniuk
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- RE: Confirm decision on identity handling. Gregory Lebovitz
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Francis Dupont
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- RE: Confirm decision on identity handling. Gregory Lebovitz
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Ravi
- [Fwd: Confirm decision on identity handling.] Scott G. Kelly
- Re: Confirm decision on identity handling. Uri Blumenthal
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Uri Blumenthal
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- some thoughts on identity handling Stephen Kent
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Eric Rescorla
- Re: some thoughts on identity handling Michael Richardson
- Re: [Fwd: Confirm decision on identity handling.] Ravi
- Re: Confirm decision on identity handling. Charlie_Kaufman
- Re: Confirm decision on identity handling. Charlie_Kaufman
- Re: Confirm decision on identity handling. Scott G. Kelly
- Re: Confirm decision on identity handling. Michael Thomas
- Re: Confirm decision on identity handling. Greg Troxel
- Re: Confirm decision on identity handling. Paul Koning
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. Paul Hoffman / VPNC
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. D. K. Smetters
- Re: Confirm decision on identity handling. Michael Richardson
- Re: Confirm decision on identity handling. D. K. Smetters