[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability

To: Allen_Rochkind@xxxxxxxx, Jan Vilhuber <vilhuber@xxxxxxxxx>
Subject: Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Wed, 26 Jan 2000 14:37:47 -0800
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 12:25 PM 1/26/00 -0800, Allen_Rochkind@3com.com wrote:

However, what I questioned is whether a device having
multiple end entity certs, each issued by a different root, is realistic.

And many people responded that it was. Think extranets where each security gateway trusts only a CA controlled by the company that owns the gateway. Think VPN clients that are used by people who talk to more than one security gateway at different companies.

  Each
device belongs in general to one security domain, with some administrator
managing the security attributes of that device.

I do not think this matches the business model of many companies in the VPN business. There is a wide expectation that companies will use IPsec-and-firewall boxes for controlling ingress of trusted outsiders to their resources.

--Paul Hoffman, Director
--VPN Consortium

References:
- Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
  - From: Allen_Rochkind

Prev by Date: Re: IPsec & SNMP
Next by Date: Notify SPI field specifications
Previous by thread: Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
Next by thread: Connected Notification
Index(es):
- Date
- Thread