[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Can ID be different than SubjectAltName field of theCertificate

To: "'Bronislav Kavsan'" <bkavsan@ire-ma.com>
Subject: RE: Can ID be different than SubjectAltName field of theCertificate
From: "Mason, David" <David_Mason@nai.com>
Date: Tue, 12 Jan 1999 06:59:20 -0800
Cc: "'ipsec@tis.com'" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

>If the Policy on my server my server (responder in this case)  is key-ed by
the
>other party ID and I allow ID payload and cert mismatch as you suggested -
than
>person A could impersonate his boss by sending boss's ID and person's A
valid cert.
>In this case my policy will select wrong entry in SPD.

I would suggest extracting the SubjectAltName from the certificate
and using that to key into your Policy database.  If certs are being
exchanged there's not much need for the ID payload since the cert
provides an unforgable identity by definition.

Of course if certs aren't being exchanged via IKE then one way to
identify which cert to retrieve via alternate means would be by the
contents of the ID payload.

-dave

Follow-Ups:

Re: Can ID be different than SubjectAltName field of theCertifica te

From: Bronislav Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: Can ID be different than SubjectAltName field of theCertifica te
Next by Date: Re: Can ID be different than SubjectAltName field of theCertificate
Prev by thread: Re: Can ID be different than SubjectAltName field oftheCertificate
Next by thread: Re: Can ID be different than SubjectAltName field of theCertifica te
Index(es):
- Main
- Thread