[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 89 -- Remove the selector "name"



The name selector is often used for remote access, and maybe for other applications. I know of several ipsec implementations which use fqdn for remote access policy selection, and without DN, how do we apply access controls based on certs?

Scott

Karen Seo wrote:
Folks,

Here's a description and proposed approach for:

IPsec Issue #: 89

Title: Remove the selector "name"

Description
===========
In the interest of simplifying things, we propose to remove the selector "Name". Is anyone using this selector?


Proposed approach
=================
Remove text such as the following:

[From Section 4.4.2 "Selectors"]

  "- Name: There are 2 cases (Note that these name forms are
     supported in the IPsec DOI.)
         1. User ID
             a. a fully qualified user name string (DNS),
                e.g., mozart@xxxxxxxxxxx
             b. X.500 distinguished name, e.g., C = US,
                SP = MA,  O = GTE Internetworking, CN =
                Stephen T. Kent.
         2. System name (host, security gateway, etc.)
             a. a fully qualified DNS name, e.g.,
                foo.bar.com
             b. X.500 distinguished name
             c. X.500 general name

     NOTE: One of the possible values of this selector is
           "OPAQUE".

     [REQUIRED for the following cases.  Note that support
     for name forms other than addresses is not required for
     manually keyed SAs.
         o User ID
             - native host implementations
             - BITW and BITS implementations acting as HOSTS
               with only one user
             - security gateway implementations for INBOUND
               processing.
         o System names -- all implementations]"

Thank you,
Karen