On Sep 16, 2013, at 2:02 PM, Valery Smyslov <sva...@gmail.com> wrote:
> Hi Yoav, > > >> What I could not find anywhere in the RFC is how to match name in the ID >> payload to the certificate. In HTTPS we have a requirement that either the >> CN or the dNSName alternate name match the domain name in the URL. We don't >> have similar rules for IKE, do we? > > Yes, we do: RFC4945. Thanks. I usually search for RFCs by the ipsec or ipsecme working groups, and I totally forgot about pki4ipsec. >> So do you think it would be appropriate to mandate these matching rules in >> rfc5996bis, or should this be left to AD-VPN solutions. IOW, is such a >> standard rule needed for generic IKE/IPsec? > > It's definitely worth to mention these rules in RFC5996bis, or at least point > to the RFC4945. Now that I've seen it, I don't think so. Not without updating it. See RFC 5996 says in section 4: For an implementation to be called conforming to this specification, it MUST be possible to configure it to accept the following: o Public Key Infrastructure using X.509 (PKIX) Certificates containing and signed by RSA keys of size 1024 or 2048 bits, where the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or ID_DER_ASN1_DN. Note the ID_KEY_ID. But RFC 4945 says this is section 3.1.7: The ID_KEY_ID type used to specify pre-shared keys and thus is out of scope. And in the table in section 3.1: ID type | Support | Correspond | Cert | SPD lookup | for send | PKIX Attrib | matching | rules ------------------------------------------------------------------- | | | | KEY_ID | MUST NOT | n/a | n/a | n/a | | | | _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec