[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

certificates & proxy authentication.



[This is the message which Michael Richardson was referring to..  
As he said, I wasn't missing anything; proxy identities are merely
assertions by the proxy.]

There was some discussion of proxy authentication in ISAKMP, which is
mentioned in passing in a couple places in the drafts, but is not
discussed in very much detail.

It appears the functionality is intended to be used to allow a gateway
to act as a proxy for a principal behind the gateway; the gateway
presents its identity and the identity of the principal (user or host)
behind the gateway.

For instance, you may have a network looking vaguely like:

	user <-> GWA <-> GWB ...

where user already has set up SA's with GWA, and GWA is negotiating
with GWB and proxying for `user'.

Now, certificates bind a set of attributes to a public key, and
implicitly link those attributes to the *holder* of the private part
of that key; there's not much point in passing around a certificate
except to link the attributes in the certificate to something signed
by the certified key.

I don't see any place where a protocol is defined which allows `GWA'
to ask `user' to sign something destined for GWB, to prove to GWB that
the user is really there..  Merely forwarding the cert doesn't prove
anything; GWA could have pulled the cert out of the certificate
directory..

So, is the model that GWB trusts GWA's claim that `user' has
successfully authenticated to GWA?  If so, this may be expedient, but
I don't think it's a scalable trust model..

What am I missing?

					- Bill