[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ID Policy: was RE: Non-IP type Client IDs



Since the lookup of policy based on ID payload has
been mentioned.  I'd like comments on the following.

Corporation A uses CA CAa and has a gateway that allows
userA@corpA.com access to the accounting machine.  Corp
A then has a joint development project with Corp B that
uses CAb and allows access for userB@corpB.com to a
joint development machine behind the gateway, so it loads
the root for CAb and sets up a policy that allows
userB@corpB.com access the dev machine.

Corp B finds out that Corp A is using a gateway that does
policy lookup based on ID payload contents so Corp B has
its CAb issue a certificate with subAltName userA@corpA.com
and uses this in it's ID payload.  The certificate will
verify against the loaded CA root certificates (CAb) and the
ID payload will match what's in the certificate.  If policy
lookup is based strictly upon the ID payload, Corp B gets
access to the accounting machine.  Because of this I feel
policy lookup should be based on all of the certificate and
not just the portion of the certificate that is placed in
the ID payload.  Or in the very least, policy lookup should
be based on rootCA+IDpayload.

-dave


Follow-Ups: