[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 89 -- Remove the selector "name"

The name selector is often used for remote access, and maybe for other applications. I know of several ipsec implementations which use fqdn for remote access policy selection, and without DN, how do we apply access controls based on certs?


Karen Seo wrote:

Here's a description and proposed approach for:

IPsec Issue #: 89

Title: Remove the selector "name"

In the interest of simplifying things, we propose to remove the selector "Name". Is anyone using this selector?

Proposed approach
Remove text such as the following:

[From Section 4.4.2 "Selectors"]

  "- Name: There are 2 cases (Note that these name forms are
     supported in the IPsec DOI.)
         1. User ID
             a. a fully qualified user name string (DNS),
                e.g., mozart@xxxxxxxxxxx
             b. X.500 distinguished name, e.g., C = US,
                SP = MA,  O = GTE Internetworking, CN =
                Stephen T. Kent.
         2. System name (host, security gateway, etc.)
             a. a fully qualified DNS name, e.g.,
             b. X.500 distinguished name
             c. X.500 general name

     NOTE: One of the possible values of this selector is

     [REQUIRED for the following cases.  Note that support
     for name forms other than addresses is not required for
     manually keyed SAs.
         o User ID
             - native host implementations
             - BITW and BITS implementations acting as HOSTS
               with only one user
             - security gateway implementations for INBOUND
         o System names -- all implementations]"

Thank you,