Re: Can ID be different than SubjectAltName field of theCertificate

[Tamir Zegman <zegman@checkpoint.com>]

Slave,

We agree that there should be strong bond between the information on the certificate
and the
ID payload, even so, this does not mandate that they be identical. The way in which you
bind the ID payload to the appropriate
SPD entry should be a local policy matter. For example, your local policy could bind
foo.bar.com to a certain ip address or
you could use Secure DNS to do the binding.

Regards,
Tamir & Moshe.

Bronislav Kavsan wrote:

> Tamir Zegman wrote:
>
> > What do we have to gain from having the same content in both ID payload and
> > subjectAltName?
>
> Tamir,
>
> If the Policy on my server my server (responder in this case)  is key-ed by the
> other party ID and I allow ID payload and cert mismatch as you suggested - than
> person A could impersonate his boss by sending boss's ID and person's A valid cert.
> In this case my policy will select wrong entry in SPD.
>

---

Follow-Ups:

• Re: Can ID be different than SubjectAltName field of theCertificate
• From: Bronislav Kavsan <bkavsan@ire-ma.com>
• Re: Can ID be different than SubjectAltName field oftheCertificate
• From: Stephen Kent <kent@bbn.com>

References:

• Re: Can ID be different than SubjectAltName field of the Certificate
• From: Rodney Thayer <rodney@internetdevices.com>
• Re: Can ID be different than SubjectAltName field of theCertificate
• From: Tamir Zegman <zegman@checkpoint.com>
• Re: Can ID be different than SubjectAltName field of theCertificate
• From: Bronislav Kavsan <bkavsan@ire-ma.com>

---

• Prev by Date: Re: Can ID be different than SubjectAltName field of theCertificate
• Next by Date: help
• Prev by thread: Re: Can ID be different than SubjectAltName field of theCertificate
• Next by thread: Re: Can ID be different than SubjectAltName field of theCertificate
• Index(es):
  • Main
  • Thread