<no hat>

On Sep 24, 2013, at 4:21 AM, Tero Kivinen <kivi...@iki.fi> wrote:

> Yaron Sheffer writes:
>> I just reread the introduction of RFC 4945 and I don't understand its 
>> purpose. So I'm not sure it should be referenced from 5996bis.
> 
> Ok, if there is any disagreement about it, then I think it is better
> to leave it out from 5996bis. 

Please do not. It is flawed, but it is the best we have. If you leave it out, 
then you will have to reproduce all the valuable matching bits in 5996bis. 
That's possible, but likely more work than you expect.

>> It is definitely not a "profile" in the sense that Tero is alluding to. 
>> Tero's own "minimal IKEv2" is a profile for a specific use. RFC 4945 
>> just attempts to fill in the holes (or perceived holes) in RFC 4306 and 
>> PKIX docs wrt PKI use in IPsec. Which just happens to be the main use 
>> case of IKE/IPsec!
> 
> I have understood that RFC4945 is profile which profiles both PKIX and
> IPsec, i.e. tell the CA vendors what kind of features might be needed
> form the PKIX if certificates are used in the IPsec environment, and
> tell the IPsec vendors what kind of certificates it will receive from
> the CAs and how those can be used in the IPsec environment.

Tero's description of what was intended is exactly right. Whether or not we 
achieved that goal is a different matter.

> It is not the only possible way of combining PKIX and IPsec, for
> example if someone wants to use certificates and IPsec to protect
> routers, the requirements what kind of certificats and what kind of
> IKE payloads and their semantics might be different.

...and therefore cause lack of interop.

--Paul Hoffman

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to