[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
certificates & proxy authentication.
[This is the message which Michael Richardson was referring to..
As he said, I wasn't missing anything; proxy identities are merely
assertions by the proxy.]
There was some discussion of proxy authentication in ISAKMP, which is
mentioned in passing in a couple places in the drafts, but is not
discussed in very much detail.
It appears the functionality is intended to be used to allow a gateway
to act as a proxy for a principal behind the gateway; the gateway
presents its identity and the identity of the principal (user or host)
behind the gateway.
For instance, you may have a network looking vaguely like:
user <-> GWA <-> GWB ...
where user already has set up SA's with GWA, and GWA is negotiating
with GWB and proxying for `user'.
Now, certificates bind a set of attributes to a public key, and
implicitly link those attributes to the *holder* of the private part
of that key; there's not much point in passing around a certificate
except to link the attributes in the certificate to something signed
by the certified key.
I don't see any place where a protocol is defined which allows `GWA'
to ask `user' to sign something destined for GWB, to prove to GWB that
the user is really there.. Merely forwarding the cert doesn't prove
anything; GWA could have pulled the cert out of the certificate
directory..
So, is the model that GWB trusts GWA's claim that `user' has
successfully authenticated to GWA? If so, this may be expedient, but
I don't think it's a scalable trust model..
What am I missing?
- Bill