ZhangDong wrote:
What you are suggesting is an opportunistic approach. If CERTS are
not
used, how do you plan to solve the initial leap of faith? If CERTS
are
used, what is the advantage in using your approach?
The current 00 version of draft provide a rough proposal of negotiating SA via
CGA, more details will be added. Cert is root of trust in CGA usage and is
necessary in trust model. At the same time, we will consider various ways to
mitigate packet size problem. Would you mind giving some advices?
Well, you could go for the usage of the Hash and URL CERT. In case of
CRL, probably OCSP could be more suitable. Or, carefully chosen
certificate lifetimes could reduce the size of revocation lists. But
again, what is then the advantage of this approach?
In case of IKEv2, it would be good to replace links to RFC2401 with RFC4301.
Regarding RFC4301 and SPs, i fail to understand why did you omit the
traffic selector payload from the negotiation? How will the traffic
selector negotiation be done?
Yes, will take care of this problem. Currently, the document just shows an idea
of this area in order to find out whether anybody is interested in it. The
following drafts will be more perfect.
Thanks again for your supplements.
Ana
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
