Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names

["Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>]

>>>>> "Dave" == Dave Mason <dmason@tis.com> writes:
    Dave> If it's marked as a non-mobile certificate in the policy database, the
    Dave> database would restrict the ip addresses allowed for the remote
  
  If it's not a mobile node, then your local policy database will have a
clear end-point for the router. So, even if they steal the router, drop
in in somewhere with a different IP address, the SA's that would be
allowed to be negotiated would be for the original location.
  The names in the certificate are *not* policy information. They are
keys to policy information. If you use the stuff *as* policy information,
then you are going to get hosed. Use KeyNote or something instead if you
want scaling beyond your local config file.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 
	ON HUMILITY: To err is human, to moo bovine.

---

References:

• RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
• From: Dave Mason <dmason@tis.com>

---

• Prev by Date: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
• Next by Date: null encryption
• Prev by thread: RE: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
• Next by thread: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
• Index(es):
  • Main
  • Thread