Re: Last Call: 'Kerberized Internet Negotiation of Keys (KINK)' to Proposed Standard (fwd)

[Nicolas Williams <Nicolas.Williams@xxxxxxx>]

On Thu, Dec 01, 2005 at 01:14:31PM +0900, KAMADA Ken'ichi wrote:
> At Tue, 29 Nov 2005 12:41:38 -0600,
> Nicolas Williams <Nicolas.Williams@xxxxxxx> wrote:
> >  - Section 5.3 limits the IDs that can be used with KINK to
> >    address/subnet/address range IDs.  I think this is too limited, it
> >    seems likely to make KINK very difficult to use.
> > 
> >    I'd rather that a new ID type be defined that corresponds to Kerberos
> >    V principal names and/or that ID_FQDN and ID_RFC822_ADDR be allowed
> >    and a simple algorithm be recommended for matching principals and
> >    such IDs.
> 
> Section 5.3 says that IDs in KINK identify traffic to be protected
> (like TSs in IKEv2).  Peer's identifiers are pricnipal names provided
> in AP exchange.  (Note that AP_REQ and AP_REP are always exchanged
> when negotiating SAs.)

Right, I was confused -- Sam explained how I got confused.

It would be nice if KINK supported IKEv2-style traffic selectors, but I
assume that's out of scope here.

Nico
--