[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue # 89 -- Remove the selector "name"
The name selector is often used for remote access, and maybe for other
applications. I know of several ipsec implementations which use fqdn for
remote access policy selection, and without DN, how do we apply access
controls based on certs?
Karen Seo wrote:
Here's a description and proposed approach for:
IPsec Issue #: 89
Title: Remove the selector "name"
In the interest of simplifying things, we propose to remove the selector
"Name". Is anyone using this selector?
Remove text such as the following:
[From Section 4.4.2 "Selectors"]
"- Name: There are 2 cases (Note that these name forms are
supported in the IPsec DOI.)
1. User ID
a. a fully qualified user name string (DNS),
b. X.500 distinguished name, e.g., C = US,
SP = MA, O = GTE Internetworking, CN =
Stephen T. Kent.
2. System name (host, security gateway, etc.)
a. a fully qualified DNS name, e.g.,
b. X.500 distinguished name
c. X.500 general name
NOTE: One of the possible values of this selector is
[REQUIRED for the following cases. Note that support
for name forms other than addresses is not required for
manually keyed SAs.
o User ID
- native host implementations
- BITW and BITS implementations acting as HOSTS
with only one user
- security gateway implementations for INBOUND
o System names -- all implementations]"