|
Posted by Stephen J. Bevan on June 3, 2006, 11:58 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>>However, the IDii does not have to be an IP address. It could be a
>>FQDN or an opaque key. Either of these can be used to pass down a
>>value that is known only to the initiator and responder. Obviously
>>using a FQDN name like "step...@dino.dnsalias.com" would be easy to
>>guess but if instead it was a string like "stephen/*WQ732HG" where
>>"stephen" is the user-name and "*WQ732HG" is another shared secret
>>then this can be used to provide identity protection (stephen) and
>>provide a way to use main-mode with a (group) pre-shared key but still
>>providing per-user authentication.
>
> In pre-shared key authentication, does the recipient of message 5 or 6
> do anything else with the ID than using it for computation of hash?
The recipient should validate the ID according to their security
policy the details of which are not dictated by IKE. So, it can vary
from doing no validation (common if the ID is an IP address) to doing
checks like the ones I describe in the paragraph you quote.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map