[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can ID be different than SubjectAltName field of theCertificate
Tamir,
I guess it is possible, as long you have appropriate Policy rules for matching information
in the Certificate, ID Payload and the SPD, whcich could be quite complex if all of them
musmatch.
BTW - my name is Slava (not Slave)
Tamir Zegman wrote:
> Slave,
>
> We agree that there should be strong bond between the information on the certificate
> and the
> ID payload, even so, this does not mandate that they be identical. The way in which you
> bind the ID payload to the appropriate
> SPD entry should be a local policy matter. For example, your local policy could bind
> foo.bar.com to a certain ip address or
> you could use Secure DNS to do the binding.
>
> Regards,
> Tamir & Moshe.
>
> Bronislav Kavsan wrote:
>
> > Tamir Zegman wrote:
> >
> > > What do we have to gain from having the same content in both ID payload and
> > > subjectAltName?
> >
> > Tamir,
> >
> > If the Policy on my server my server (responder in this case) is key-ed by the
> > other party ID and I allow ID payload and cert mismatch as you suggested - than
> > person A could impersonate his boss by sending boss's ID and person's A valid cert.
> > In this case my policy will select wrong entry in SPD.
> >
References: