[Openswan Users] left/rightsendcert=always questions
Ken Bantoft
ken at xelerance.com
Fri May 14 06:51:05 CEST 2004
On Thu, 13 May 2004, Nate Carlson wrote:
> On Fri, 14 May 2004, Ken Bantoft wrote:
> > Good question - I wish the RFC's answered this. Some vendors ask for a
> > cert, and some assume the cert will be sent. There is much controversy
> > over what is the 'most secure' mechansism. The current default
> > (ifasked) sends only when requested. I'm seriously tempted to set it
> > to =always, however people have raised concerns that it's a security
> > hole, as you 'leak' data to anyone who initiates an IPsec connection to
> > you. I haven't forumlated an opinion on which is better, so I'm open to
> > suggestions.
>
> How does the ifasked option work? If it's a case where anyone can request
> the certificate (no authentication beforehand required), I don't see how
> that'd be any more secure than just sending it out to start with.
>
> In any case, it is just the public side of a SSL cert, similar to a web
> certificate - isn't it generally well-understood that those certificates
> can be viewed by anyone? I know, VPN is a different issue, but still..
Perhaps I'll just default it to always. Let me ask mcr, as he set the
current default for a reason.
> > Not yet... it needs to be written. Yet another item on my
> > never-ending-swan TODO list :(
>
> Is there a to-do list somewhere detailing the things that need to be
> documented? I'm sure some members of the community wouldn't mind spending
> some time hashing them out. If I have time I may even write some. :)
I posted on the dev list at the end of last month, but I've just got and
WIKI'd it with more braindumpage.
http://wiki.openswan.org/index.php/ToDo and yes, Wiki is slow until we
move it - hopefully this weekend.
Folks should feel free to add tasks, comments or some indication that they
are working/interested in certain bits.
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list