[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names




> but you're saying ignore the legitimacy of the identities relative to the
> rest of the world...
> 
> 
Hi Rodney,
If the rest of the world is not secure then yes.  You trust that your CA
only allowed valid names, whether or not those names can be resolved via DNS
(or whatever) is not important.  What is important is that your policy
database contain an entry for the name.  If it does then apply the rules
found.  You know that the other end is who they say they are because your CA
allowed the identity in the certificate.  You allow the connection because
you found relevant policy for that identity.

If the name can be resolved then that may be a good sanity check, but unless
its secured it hasn't gained you much.

So I am in agreement with Tero.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com



Follow-Ups: