[Openswan Users] left/rightsendcert=always questions

Nate Carlson natecars at natecarlson.com
Thu May 13 23:11:08 CEST 2004


On Fri, 14 May 2004, Ken Bantoft wrote:
> Good question - I wish the RFC's answered this.  Some vendors ask for a
> cert, and some assume the cert will be sent.  There is much controversy
> over what is the 'most secure' mechansism.  The current default
> (ifasked)  sends only when requested.  I'm seriously tempted to set it
> to =always, however people have raised concerns that it's a security
> hole, as you 'leak' data to anyone who initiates an IPsec connection to
> you.  I haven't forumlated an opinion on which is better, so I'm open to
> suggestions.

How does the ifasked option work? If it's a case where anyone can request 
the certificate (no authentication beforehand required), I don't see how 
that'd be any more secure than just sending it out to start with.

In any case, it is just the public side of a SSL cert, similar to a web
certificate - isn't it generally well-understood that those certificates
can be viewed by anyone? I know, VPN is a different issue, but still..

> Not yet... it needs to be written.  Yet another item on my
> never-ending-swan TODO list :(

Is there a to-do list somewhere detailing the things that need to be
documented? I'm sure some members of the community wouldn't mind spending
some time hashing them out. If I have time I may even write some.  :)

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Users mailing list