IETF Logo Mail Archive

Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate

Rodney Thayer <rodney@tillerman.nu> Sat, 12 September 1998 08:15 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id EAA29999 for ipsec-outgoing; Sat, 12 Sep 1998 04:15:28 -0400 (EDT)
Message-Id: <199809112157.RAA02441@2gn.com>
X-Sender: rodney@module-one.tillerman.nu
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.2
Date: Fri, 11 Sep 1998 18:55:35 -0400
To: bmanning@isi.edu
From: Rodney Thayer <rodney@tillerman.nu>
Subject: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate
Cc: ipsec@tis.com
In-Reply-To: <199809111448.AA04563@zed.isi.edu>
References: <199809111113.HAA06472@2gn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

well since nobody else seems to care where the packet came from I suppose it's fine.

At 07:48 AM 9/11/98 -0700, you wrote:
>
>Actually, this raises an interesting question wrt the recent A6 RR type being
>proposed in the IPv6 group.  The plan is to compose the IP address on the fly,
>depending on where you are.  How would IPSEC deal with that model?
>
>> 
>> If you used a dynamically assigned address you wouldn't have had an IP address in your cert because you, your network manager, and your CA wouldn't have chosen to do that anyway.
>> 
>> The validity checking is only a part of the picture, it's not a whole answer by itself.
>> 
>> I changed the text (my current plan is to resubmit Monday) so all that stuff is 'MAY' and a few 'SHOULD's so it should line up with the rough consensus we're seeing here.
>> 
>> At 12:35 AM 9/11/98 -0700, you wrote:
>> >What if that stolen router is instead your stolen mobile IKE laptop?.
>> >What kind of binding between SubjectAltName to
>> >smtp or ipaddress or dns  prevents the above scenario?
>> >
>> >
>> >--Rizwan Mallal
>> >Raptor Systems Inc
>> >
>> >
>> >
>> >-----Original Message-----
>> >From: Rodney Thayer <rodney@tillerman.nu>
>> >To: Greg Carter <greg.carter@entrust.com>
>> >Cc: ipsec@tis.com <ipsec@tis.com>
>> >Date: Thursday, September 10, 1998 7:53 PM
>> >Subject: RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
>> >
>> >
>> >>So this means that what we are trusting is that the CA signed a certificate
>> >which represented some identification that the CA found acceptable.
>> >>
>> >>It seems to me that all this "but the CA said it was ok" logic ignores the
>> >possibility that the private key might be stolen.  I am not arguing with the
>> >fact the CA said it was ok, I am thinking about the case where the situation
>> >has changed, and, for example, the private key got stolen (i.e. the router
>> >was stolen and is now sitting on some other network with a different IP
>> >address.)
>> >>
>> >>
>> >>
>> >>At 11:37 AM 9/10/98 -0400, you wrote:
>> >>>
>> >>>> but you're saying ignore the legitimacy of the identities relative to
>> >the
>> >>>> rest of the world...
>> >>>>
>> >>>>
>> >>>Hi Rodney,
>> >>>If the rest of the world is not secure then yes.  You trust that your CA
>> >>>only allowed valid names, whether or not those names can be resolved via
>> >DNS
>> >>>(or whatever) is not important.  What is important is that your policy
>> >>>database contain an entry for the name.  If it does then apply the rules
>> >>>found.  You know that the other end is who they say they are because your
>> >CA
>> >>>allowed the identity in the certificate.  You allow the connection because
>> >>>you found relevant policy for that identity.
>> >>>
>> >>>If the name can be resolved then that may be a good sanity check, but
>> >unless
>> >>>its secured it hasn't gained you much.
>> >>>
>> >>>So I am in agreement with Tero.
>> >>>----
>> >>>Greg Carter, Entrust Technologies
>> >>>greg.carter@entrust.com
>> >>>
>> >>
>> > 
>> 
>> 
>
>
>-- 
>--bill
>

v2.37.1 | Report a Bug | By Email | System Status