[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
In message <15089.52633.177939.677862@thomasm-u1.cisco.com>, Michael Thomas wri
tes:
>Ramin Alidousti writes:
> > Take ssh for instance. It guarantees the secure communication
> > channel. It also passes the userid/username to the other end.
> > But it does not mean that the sshd on the other end says:
> > "Oh, Mr XYZ, I believe who you are and the doors are wide
> > open. Please do come in".
>
> Not at all. As with Kerberos, if you pass the credentials
> to the other side and key those packets under that session
> key, it doesn't matter whether you send your username...
> Unless the application stupidly believes that username
> when cryptographically proveable credentials were available.
>
Right. "Authentication is not authorization". IPsec provides the
former; anything that uses that authenticated identity must provide the
latter.
--Steve Bellovin, http://www.research.att.com/~smb