Hi Ben, > It's not quite "you know who you are talking to based on IP", but more of > "under this precondition, you know that the peer should be part of the same > ACP domain, and thus using the same TA as you". But you don't know exactly > which peer in the domain, and thus which EE cert, you're going to get. > > The case that (IIUC) triggered this subthread is when things are wired > badly and you end up actually talking to someone in a different ACP domain, > i.e., with a different TA. We want to be able to report what that > "unexpected" TA is, so that the mis-wiring can be diagnosed more readily.
I still have an impression that this can be achieved without adding TA to the CERT payload. For example, the last cert in the path before the TA will have an Issuer DN of TA, so you'll have some information anyway... Regards, Valery. > -Ben _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
