Hi Toerless,
> Thanks, Valery
>
> let me pick up the one point i have no clear text solution for yet.
>
> On Fri, Feb 28, 2020 at 10:52:02AM +0300, Valery Smyslov wrote:
> > Hi Toerless,
> [...]
> > Well, the example you provided doesn't work. In IKEv2 first
> > the responder sends a list of TA
Hi Ben,
> It's not quite "you know who you are talking to based on IP", but more of
> "under this precondition, you know that the peer should be part of the same
> ACP domain, and thus using the same TA as you". But you don't know exactly
> which peer in the domain, and thus which EE cert, you're
On Mon, Jun 22, 2020 at 05:51:16PM +0300, Valery Smyslov wrote:
> Hi Ben,
>
> > It's not quite "you know who you are talking to based on IP", but more of
> > "under this precondition, you know that the peer should be part of the same
> > ACP domain, and thus using the same TA as you". But you don
On Mon, Jun 22, 2020 at 05:42:00PM +0300, Valery Smyslov wrote:
> And I think that prohibiting sending CERTREQ is really bad idea for the
> profile.
> The better idea is to require ignoring CERTREQ content on receipt if you
> think
> it's not useful in your use case, but not banning sending it.
