[Openswan Users] left/rightsendcert=always questions
Nate Carlson
natecars at natecarlson.com
Thu May 13 23:11:08 CEST 2004
On Fri, 14 May 2004, Ken Bantoft wrote:
> Good question - I wish the RFC's answered this. Some vendors ask for a
> cert, and some assume the cert will be sent. There is much controversy
> over what is the 'most secure' mechansism. The current default
> (ifasked) sends only when requested. I'm seriously tempted to set it
> to =always, however people have raised concerns that it's a security
> hole, as you 'leak' data to anyone who initiates an IPsec connection to
> you. I haven't forumlated an opinion on which is better, so I'm open to
> suggestions.
How does the ifasked option work? If it's a case where anyone can request
the certificate (no authentication beforehand required), I don't see how
that'd be any more secure than just sending it out to start with.
In any case, it is just the public side of a SSL cert, similar to a web
certificate - isn't it generally well-understood that those certificates
can be viewed by anyone? I know, VPN is a different issue, but still..
> Not yet... it needs to be written. Yet another item on my
> never-ending-swan TODO list :(
Is there a to-do list somewhere detailing the things that need to be
documented? I'm sure some members of the community wouldn't mind spending
some time hashing them out. If I have time I may even write some. :)
------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
More information about the Users
mailing list