On Sep 16, 2013, at 2:02 PM, Valery Smyslov <sva...@gmail.com> wrote:
> Hi Yoav,
>
>
>> What I could not find anywhere in the RFC is how to match name in the ID
>> payload to the certificate. In HTTPS we have a requirement that either the
>> CN or the dNSName alternate name match the domain name in the URL. We don't
>> have similar rules for IKE, do we?
>
> Yes, we do: RFC4945.
Thanks. I usually search for RFCs by the ipsec or ipsecme working groups, and I
totally forgot about pki4ipsec.
>> So do you think it would be appropriate to mandate these matching rules in
>> rfc5996bis, or should this be left to AD-VPN solutions. IOW, is such a
>> standard rule needed for generic IKE/IPsec?
>
> It's definitely worth to mention these rules in RFC5996bis, or at least point
> to the RFC4945.
Now that I've seen it, I don't think so. Not without updating it. See RFC 5996
says in section 4:
For an implementation to be called conforming to this specification,
it MUST be possible to configure it to accept the following:
o Public Key Infrastructure using X.509 (PKIX) Certificates
containing and signed by RSA keys of size 1024 or 2048 bits, where
the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or
ID_DER_ASN1_DN.
Note the ID_KEY_ID. But RFC 4945 says this is section 3.1.7:
The ID_KEY_ID type used to specify pre-shared keys and thus is out of
scope.
And in the table in section 3.1:
ID type | Support | Correspond | Cert | SPD lookup
| for send | PKIX Attrib | matching | rules
-------------------------------------------------------------------
| | | |
KEY_ID | MUST NOT | n/a | n/a | n/a
| | | |
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
