Hi Yoav,
What I could not find anywhere in the RFC is how to match name in the ID
payload to the certificate. In HTTPS we have a requirement that either the
CN or the dNSName alternate name match the domain name in the URL. We
don't have similar rules for IKE, do we?
Yes, we do: RFC4945.
So do you think it would be appropriate to mandate these matching rules in
rfc5996bis, or should this be left to AD-VPN solutions. IOW, is such a
standard rule needed for generic IKE/IPsec?
It's definitely worth to mention these rules in RFC5996bis, or at least
point to the RFC4945.
Yoav
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec