[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking



Derek Atkins writes:
 > Because applications may not be ipsec peers...  Or, in most cases,
 > ipsec will be host-based, not user-based?

   This seems like a rather single user PC based
   mentality. If we were running a multiuser timesharing
   system, being able to supply credentials on a per
   user basis would be rather necessary, no? Or
   perhaps I have a smart card which does the
   signatures which identifies me regardless of 
   which machine I'm using, etc, etc. I don't see
   what prevents the SPD from having rules like
   "for 5-tuple [a,b,c,d,e], demand credentials in
    realm X" where those credentials might require
   a human to insert a piece of hardware, or type
   into a dialog box slapped up by the keying
   daemon, or whatever.

	      Mike


Follow-Ups: References: