On Mon, Jun 08, 2020 at 10:24:10AM -0700, Michael Thomas wrote: > On 6/8/20 10:16 AM, Nico Williams wrote: > > On Mon, Jun 08, 2020 at 10:11:09AM -0700, Joe Touch wrote: > > > > On Jun 8, 2020, at 10:00 AM, Michael Thomas <mike@xxxxxxxx> wrote: > > > > i assume that you can hack ipsec to emulate clients not having certs. > > > It is called BTNS. See RFC 5387. > > Yes, but you also need RFC5660 implementations to make it more > > meaningful. Still, if all you want is error detection, BTNS will do. > > this is undoubtedly a complete rehash, but who controls what the root CA's > are with ipsec? is that something that the application layer has some say-so > over? could my app say i don't care who the root CA is? The idea with RFCs 5387 and 5660 is that there is no need for an IPsec PKI for IPsec to be useful, and, indeed, that IPsec for authentication is tricky because -after all- it deals in... IP addresses, which are not useful for authentication. Instead, use IPsec for session crypto and use channel binding to bind IPsec channels to higher-layer protocols where authentication can and does happen. Nico --
