Re: Can ID be different than SubjectAltName field oftheCertificate

[Stephen Kent <kent@bbn.com>]

Tamir,

>We agree that there should be strong bond between the information on the
>certificate
>and the
>ID payload, even so, this does not mandate that they be identical. The way
>in which you
>bind the ID payload to the appropriate
>SPD entry should be a local policy matter. For example, your local policy
>could bind
>foo.bar.com to a certain ip address or
>you could use Secure DNS to do the binding.

I agree with your observations, but I think it fair to say that the best
case arises when the ID in the cert matches the SPD entry.  Any other
situation creates dependencies on other databases, which creates more
opportunities for management-induced vulerabilities, etc.

Steve

---

References:

• Re: Can ID be different than SubjectAltName field of the Certificate
• From: Rodney Thayer <rodney@internetdevices.com>
• Re: Can ID be different than SubjectAltName field of theCertificate
• From: Tamir Zegman <zegman@checkpoint.com>
• Re: Can ID be different than SubjectAltName field of theCertificate
• From: Bronislav Kavsan <bkavsan@ire-ma.com>
• Re: Can ID be different than SubjectAltName field of theCertificate
• From: Tamir Zegman <zegman@checkpoint.com>

---

• Prev by Date: Getting ISPs to pass IPSEC protocols 51, 50 and 4
• Next by Date: Re: Passing IPSec VPN traffic through a Port-masquerading firewall
• Prev by thread: Re: Can ID be different than SubjectAltName field of theCertificate
• Next by thread: RE: Can ID be different than SubjectAltName field of theCertificate
• Index(es):
  • Main
  • Thread