[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Effective policy enforcement
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Marcus" == Marcus Leech <mleech@nortel.ca> writes:
Marcus> (2) Viable policy engines in IPSEC/ISAKMP systems that
Marcus> make rich policy enforcement possible, and easy to
Marcus> administer.
I too want to see this too. I know that this is planned for
several implementations. I'm hoping that the "FreeSWAN"
implementations will be one of them.
Marcus> (3) Availability to the applications of any and all
Marcus> attributes and/or authorizations carried in a certificate
Marcus> used to establish an SA (this applies to both X.509 and
Marcus> SPKI). In other words, it ought to be possible for an
Marcus> application to determine all of the security-relevant
Marcus> attributes for incoming connections to those applications.
This requires an extensive API.
I'd like to see, as a first step, a work new ipsec wg work item: we
should be writing drafts to describe SPKI auth/tag fields. I suggest
that this be scheduled for post-Proposed Status for the existing drafts.
] IETF #38. In Memphis, TN. Elvis is in the terminal room! | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBM0wwu8mxxiPyUBAxAQElCAL/ai1DXZOvAzhIBgGINaLQfJ0Q5MC5QmcB
FVHxExmWrbhDGrHv5I54lio+z0rXFLUhMlv9hgVNdUEVpbidWIrwS3Vmi1wqsiWS
t1hX77QSX915n0dAuJAR7PJSBCKDplXE
=6eZq
-----END PGP SIGNATURE-----
References: