[Openswan Users] left/rightsendcert=always questions

Ken Bantoft ken at xelerance.com
Fri May 14 06:51:05 CEST 2004


On Thu, 13 May 2004, Nate Carlson wrote:

> On Fri, 14 May 2004, Ken Bantoft wrote:
> > Good question - I wish the RFC's answered this.  Some vendors ask for a
> > cert, and some assume the cert will be sent.  There is much controversy
> > over what is the 'most secure' mechansism.  The current default
> > (ifasked)  sends only when requested.  I'm seriously tempted to set it
> > to =always, however people have raised concerns that it's a security
> > hole, as you 'leak' data to anyone who initiates an IPsec connection to
> > you.  I haven't forumlated an opinion on which is better, so I'm open to
> > suggestions.
> 
> How does the ifasked option work? If it's a case where anyone can request 
> the certificate (no authentication beforehand required), I don't see how 
> that'd be any more secure than just sending it out to start with.
> 
> In any case, it is just the public side of a SSL cert, similar to a web
> certificate - isn't it generally well-understood that those certificates
> can be viewed by anyone? I know, VPN is a different issue, but still..

Perhaps I'll just default it to always.  Let me ask mcr, as he set the 
current default for a reason.

> > Not yet... it needs to be written.  Yet another item on my
> > never-ending-swan TODO list :(
> 
> Is there a to-do list somewhere detailing the things that need to be
> documented? I'm sure some members of the community wouldn't mind spending
> some time hashing them out. If I have time I may even write some.  :)


I posted on the dev list at the end of last month, but I've just got and 
WIKI'd it with more braindumpage.

http://wiki.openswan.org/index.php/ToDo and yes, Wiki is slow until we 
move it - hopefully this weekend.

Folks should feel free to add tasks, comments or some indication that they 
are working/interested in certain bits.


-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson




More information about the Users mailing list