At 7:16 PM +0300 5/31/09, Yaron Sheffer wrote: > > 6) Section 6: The word "Unspecified" is probably wrong here -- this >> document has to specify these (but clearly an implementation doesn't >> have to include in the ticket any data it never uses). >> >[YS] I have used "unspecified" as synonymous with "implementation specific". >Or do you want to propose alternative text?
FWIW, I think "implementation-specific" is probably right here. > > 8) The text about handling IDr is very unclear -- certainly the >> gateway can't start to use some other IDr in the new IKE_SA, >> without authenticating it? >> >[YS] Unfortunately you are right, but this eliminates important flexibility >in naming the gateways. We *could* say that the client trusts the gateway to >identify itself, because the gateway is clearly a member of the "trusted >gateways" group (it is able to decrypt the ticket). But that still sounds >wrong. Being a member of the "trusted gateways" group doesn't sound wrong to me: in fact, it sounds like the correct way to say it. If that group has just one member, so be it. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
